Demonstrable destruction for the GDPR: how to prove data is gone
The GDPR asks not only that you destroy personal data, but that you can also show it. Demonstrable destruction means you can prove, with evidence in hand, that data was made irreversibly illegible. That evidence is usually a certificate of destruction, supported by a note in your record of processing.
Want to check quickly whether you have this in order? Can you answer yes to each of these?
- Can you show that old files were actually destroyed?
- Do you have a certificate of that destruction with a date?
- Is the destruction in your record of processing?
- Do you know at which DIN level it was destroyed?
- Can you find this proof within a few minutes?
If you hesitate on any of these, the sections below show how to destroy demonstrably and what proof you need for it.
What does demonstrable destruction mean?
Destroying is an action, demonstrable destruction adds the proof to it. You not only make personal data illegible, you also record that and how it happened. The difference is large. Without proof your word is the only thing you have, with proof you have a document a supervisor or auditor accepts. For the GDPR it is precisely that second thing that counts, because the law asks not only for careful action but also for being able to show it.
The accountability principle
The core is in article 5(2) of the GDPR, the accountability principle. You are not only obliged to follow the rules, you must also be able to show that you do. That applies to the whole life of personal data, from collecting to destroying. A piece of data past its retention period that was not demonstrably cleared out is a weak spot in your accountability. The certificate of destruction is the proof that the last piece of the chain is right.
Storage limitation and appropriate measures
Two other articles support this. Article 5 requires storage limitation, you do not keep personal data longer than needed. Article 32 requires appropriate technical and organisational measures to protect that data, until it is destroyed beyond legibility. Demonstrable destruction is exactly where those two come together, because you show that you cleared out in time and that you did so in an appropriate way. What this means for SMEs is in GDPR requirements for SMEs.
Who does demonstrable destruction apply to?
The accountability principle applies to every organisation that processes personal data, from a sole trader to a large company. An accounting firm with client files, a healthcare practice with patient data, a webshop with client data, an HR department with personnel files, all must be able to show that old data was cleared out neatly. The approach is the same for all, destroy to the right level and keep the proof. The more sensitive the data, the more important that proof.
First the retention period, then destruction
Demonstrable destruction starts with knowing when something may go. Some documents you are required to keep, such as records kept for seven years for tax. Only once the period has passed may you destroy. Then proof belongs with it. So first check per category what the period is and clear out afterwards. An overview of common periods is in the GDPR retention periods cheatsheet.
How do you prove destruction?
Demonstrable destruction rests on three pillars:
- A certificate of destruction per job, with the date, quantity and level.
- A note in the record of processing, so the destruction is part of your administration.
- A short destruction policy, stating how and when you destroy.
Together they form a conclusive story. The certificate proves the individual action, the record and the policy show it was not coincidence but part of a fixed working method.
The certificate of destruction
The most important piece of evidence is the certificate of destruction. It states the date, the quantity and the DIN level applied, and for data carriers the serial numbers too. At an inspection or a question from a client you can immediately show what happened. Keep the certificate in your GDPR file, preferably digitally so you find it quickly. A certificate you cannot find is as worthless as no certificate.
The record of processing
Besides the certificate, the destruction belongs in your record of processing. There you record which categories of personal data you process, how long you keep them and when they are destroyed. A reference to the certificate completes the circle. So a supervisor sees at a glance that you not only agreed a retention period but also actually carry it out. How to set that up is in the record of processing for archives and destruction.
One-off or periodic clear-out?
Demonstrable destruction works best as a fixed rhythm. Many organisations review each year which files are past their retention period and hand those over in a fixed collection. So each year a certificate arises that goes into the file. You build a line of evidence automatically. With a one-off clear-out, for example after a move, you get a single certificate. Both count, but a fixed rhythm shows an even more convincing picture at an audit.
A destruction policy
A short guideline completes it. There you record what counts as confidential, at what level you destroy, how often you clear out and who is responsible. It does not have to be a hefty document, half a page often suffices. The difference is that demonstrable destruction is then no longer a separate action, but a fixed part of your information security. At an audit that counts heavily, because it shows care is embedded in your organisation.
Sealed collection strengthens the proof
Demonstrability already begins at collection. If the paper is taken away sealed and the chain from collection to destruction stays closed, there is no moment where a file goes missing. That makes the proof stronger, because you can show not only that it was destroyed, but also that the data was safe on the way. An open bin standing on the street for days does not offer that certainty, a sealed collection does. That closed chain is also called the chain of custody.
The DIN level as part of the proof
Demonstrable destruction is not only about that it was destroyed, but also how. The DIN 66399 standard sets out how finely it must be shredded.
| Level | Particle size | Suitable for |
|---|---|---|
| P-2 | Strips | General print without data |
| P-4 | Small particles | Documents with personal data |
| P-5 | Very small particles | ID numbers, medical and special data |
The certificate states the level, so you can show it was appropriate to the sensitivity of the data. More on the levels is in DIN 66399 explained.
Demonstrability in a data breach
In a data breach, demonstrability suddenly becomes very concrete. A serious data breach you report within 72 hours to the data protection authority. If you can show the data involved was already demonstrably destroyed, that reduces the damage and your liability. Conversely, a leak from paper thrown out unshredded shows precisely that the clearing-out was not in order. How the reporting duty works is in reporting a data breach in 72 hours.
Demonstrability in an audit or inspection
In an audit or an inspection by the data protection authority you are often asked how you handle personal data at the end of its life. Then the proof comes out. With certificates, a record and a policy you show in a few minutes that you destroy demonstrably. Without that proof it remains good intentions. Good intentions are not enough in an inspection. How to close an archive audit-ready is in audit-ready closing of the archive.
Paper and data carriers both demonstrable
Demonstrable destruction applies not only to paper. Personal data is also on hard drives, USB sticks and phones. Those require the same proof. For data carriers the serial numbers are on the certificate, so the proof is traceable to the specific carrier. The practical advantage is that paper and data carriers can come in the same collection, each destroyed to its own level, with conclusive proof for both. So you cover the whole flow of personal data.
What does demonstrable destruction cost?
The proof costs nothing extra. You pay a fixed price per box or roll container, from about 30 euro for the first box. The certificate is included. For data carriers it is settled per item, with serial-number registration included. Within 20 km of Amsterdam we charge no call-out fee. Demonstrable destruction is therefore no more expensive than ordinary destruction, the difference is only in the proof you keep. The full pricing is in archive destruction cost.
What happens after destruction?
After destruction the shredded paper goes to a paper mill, where it is pulped into new fibres. Data carriers are sent for material recycling. The data is then irrecoverably gone, while the raw material gets a second life. For your accountability that changes nothing, the proof remains the certificate. But it does show that demonstrable clearing-out and sustainability go together fine.
How long do you keep the proof?
Keep the certificates for at least 5 years in your GDPR file. At an inspection, a data breach or a question from a data subject you can then immediately show that the data was destroyed. Archive them digitally and in a fixed place, so they can be found. Demonstrable destruction stands or falls with findable proof, because proof you cannot present does not count in practice.
What if you have no proof?
If you ever destroyed old files without a certificate, you can no longer show that past. So start from now with proof and make sure every next destruction produces a certificate. For documents still lying around you plan a collection and immediately build a clean line of evidence. You do not restore demonstrability retroactively, but you can start with it straight away. In an inspection what mainly counts is that you have it in order now.
Archiving the proof digitally
Paper certificates go missing, a digital folder does not easily. Scan or keep every certificate in a fixed folder with your record of processing and give it a recognisable name with a date. So at an inspection you find the right proof within a few minutes. Do not make finding it dependent on a person, but on a fixed place, because proof only a colleague can find is, in their absence, as unreachable as lost.
Practical tips
- Always ask for a certificate with date and level, not just a confirmation.
- Note the destruction in your record of processing.
- Archive certificates digitally in a fixed place.
- Hand over data carriers in the same collection, with serial numbers on the certificate.
Demonstrable in 4 steps
- Determine which documents are past their retention period.
- Have it collected and destroyed to the right DIN level.
- Keep the certificate and note it in your record.
- Keep the proof findable for an inspection or data breach.
Common mistakes
- Destroying but no proof. Without a certificate you cannot show it happened.
- Not registering the proof. A certificate not in the record lacks the context.
- Too low a level. For ID numbers and special data P-5 is needed, not P-2.
- Losing the certificate. Unfindable proof is in practice no proof.
A real-world example
Imagine a healthcare practice gets an inspection and the question comes how old patient files are disposed of after the retention period. The practice shows that the files are collected yearly and destroyed at P-5, with a certificate per collection. In the record of processing the retention period and a reference to the certificates are recorded. A short guideline describes the working method. The inspector sees in a few minutes that the practice destroys demonstrably and has no further questions. No discussion, no risk of a sanction.
Have it destroyed demonstrably with a certificate?
Tell us what you have and you get a fixed price. We collect it, destroy it to the right DIN level and you receive a certificate as proof for your GDPR file. No call-out fee within 20 km of Amsterdam.
Request a quoteFrequently asked questions
What does demonstrable destruction mean?
That you not only destroy personal data but can also prove it happened. The proof is usually a certificate of destruction with the date and level.
Why does the GDPR ask for demonstrable destruction?
Through the accountability principle in article 5(2) you must be able to show you comply with the GDPR, including that you destroyed data correctly after the retention period.
How do I prove destruction?
With a certificate of destruction, a note in your record of processing and a short destruction policy stating how and when you destroy.
How long do I keep the proof?
Keep the certificate for at least 5 years in your GDPR file, so you can show in an inspection or data breach that the data was destroyed.
Does demonstrable destruction also apply to data carriers?
Yes. For hard drives, USB sticks and phones the serial numbers are on the certificate, so the proof is traceable to the carrier.
Conclusion
Demonstrable destruction is the core of careful clearing-out under the GDPR. The law asks not only that you destroy personal data, but that you can prove it. So arrange a certificate of destruction, a note in your record of processing and a short policy. Keep the proof for at least 5 years and keep it findable. That way you meet the accountability principle and are never empty-handed in an inspection or data breach.
What may you do with a security camera? Read CCTV camera rules for business and home.
How long may you keep applicant data? Read applicant data retention and destruction.
Have it destroyed demonstrably? Request a quote via desnipperaar.nl or read how destroying confidential documents works. You receive a certificate as proof.