Destroying confidential documents: the complete guide
Destroying confidential documents sounds simple, but it is exactly the step where things often go wrong. A box of old files with the waste paper, an expired contract in the bin, a payslip lying half-legible in the rubbish. Each one a small act that can be a data breach under the GDPR. This guide sets out what confidential documents are, why throwing them out unshredded is not allowed, which security level you need and how to destroy everything safely and verifiably.
What are confidential documents?
A document is confidential as soon as it contains personal data or commercially sensitive information. In practice that is more often than you think.
- Personnel: payslips, contracts, appraisal reports and copies of ID documents.
- Clients: quotes, client files, invoices and correspondence.
- Financial: bank statements, annual accounts and tax returns.
- Special data: medical information, social security numbers and data on health or religion.
- Drafts and working versions: non-final documents often contain sensitive information too.
The rule of thumb is simple. If the document could harm someone, or a competitor or fraudster could make use of it, then it is confidential and should be destroyed confidentially.
Why you cannot simply throw confidential paper away
Article 32 of the GDPR requires appropriate measures to protect personal data. That duty does not end at storage, it applies until the document is illegible. Putting it out unshredded with the waste paper is therefore a reportable data breach. For businesses, the data protection authority can impose a fine for it, see our guide on GDPR requirements for document destruction.
On top of that, paper with personal data is a favourite target for identity fraud. A discarded bank statement or ID copy is enough to harm someone. Which items do not belong with paper at all is covered in what does not belong in the paper bin.
How thorough must destruction be?
Tearing in half is not destruction. The European standard DIN 66399 defines how small the particles must be. The P-series applies to paper.
| Level | Particle size | Suitable for |
|---|---|---|
| P-2 | strips approx. 6 mm wide | General print without personal data |
| P-3 | approx. 2 × 200 mm | Internal documents, insufficient for personal data |
| P-4 | approx. 4 × 40 mm | Ordinary personal data (standard) |
| P-5 | approx. 2 × 15 mm | Special data: SSN, medical, ID copy |
| P-6 / P-7 | approx. 1 × 5 mm or finer | Government and secrecy-sensitive |
For most organisations P-4 is the norm and P-5 for sensitive files. A cheap office shredder usually does not reach P-5. Unsure whether to do it yourself or have it done? That trade-off is in document destruction: outsource or do it yourself.
Three ways to destroy confidential documents
1. Destroy it yourself, small quantities
For a handful of sheets a week, a good cross-cut shredder that reaches at least P-4 is enough. Record who destroyed what and when, because without proof you are empty-handed in an inspection.
2. Have it collected, larger quantities
Whole boxes at a time are no longer practical to shred yourself. Then you have your material collected, destroyed confidentially, and you receive a certificate. No preparation needed, folders and staples can go straight in. This is how one-off archive destruction works for businesses.
3. Private individuals at home
You build up an archive at home too. For small quantities you shred yourself, see destroying confidential documents at home. For whole boxes at a time you have it collected, see archive destruction for individuals.
Common mistakes
A few mistakes come up again and again. They are easy to avoid.
- Keeping it too long. Keeping documents longer than necessary is itself a GDPR breach. Check the retention period annually, see the retention periods cheatsheet.
- Too low a DIN level. A strip-cut device (P-2 or P-3) leaves legible strips. For personal data that is insufficient.
- Keeping no proof. Without a log or certificate you cannot show that you destroyed anything.
- Forgetting digital. Shredding paper neatly but leaving old hard drives in the cupboard is only half a solution.
Digital confidential documents
Confidential documents are now often digital too. Deleting a file and emptying the recycle bin is not destruction. The data remains on the carrier and can be recovered with standard tools. For certain destruction, physical destruction of the data carrier is needed, or a certified wiping method. Read how to dispose of USB sticks and memory cards safely. You can often hand over paper and digital carriers in the same collection.
The proof: certificate of destruction
Whoever has it destroyed should receive a certificate of destruction stating the date, quantity and the DIN level applied. That certificate is your proof towards the data protection authority, an auditor or a client. Keep it for at least 5 years in your GDPR file.
Destroying confidential documents in 5 steps
- Decide what is confidential. When in doubt, treat a document as confidential.
- Separate destroy from keep. Check the retention period and set aside what must still be kept.
- Choose the DIN level. P-4 for ordinary documents, P-5 for special data.
- Destroy. Small volume yourself, larger volume have it collected.
- Keep the certificate as proof in your GDPR file.
Have confidential documents destroyed?
We collect your documents and destroy them to DIN 66399 P-4 or P-5, with a certificate per job. No call-out charge within 20 km of Amsterdam, no contract.
Request a quoteFrequently asked questions
What counts as confidential documents?
Anything with personal data or commercially sensitive information. Think of payslips, contracts, client files, medical data, bank statements and copies of ID documents. Drafts and working versions count too.
Can I put confidential paper in the waste paper?
No. Throwing it out unshredded is a data breach you must report to the data protection authority. Confidential paper must be made illegible before it is disposed of.
Which DIN level do I need?
At least DIN 66399 P-4 for ordinary office documents. For special categories of personal data such as medical files, social security numbers and ID copies, P-5 is recommended.
Can I have confidential documents collected?
Yes. Your boxes are collected, destroyed confidentially and you receive a certificate. This applies to both businesses and private individuals, at the same rates.
What about digital confidential documents?
Deleting a file is not destruction. Data remains on carriers such as hard drives and USB sticks. For certain destruction, physical destruction of the carrier is needed.
How do I prove I destroyed confidential documents?
With a certificate of destruction stating the date, quantity and the DIN level applied. Keep it for at least 5 years in your GDPR file.
Do I have to remove folders and staples before having it destroyed?
No. Folders, ring binders, staples, paperclips and plastic sleeves can all go in. No preparation is needed.
Conclusion
Destroying confidential documents is not a side issue but a legal obligation, with a privacy and fraud risk if you get it wrong. The rule is simple. Never throw confidential paper out unshredded, choose the right DIN level and keep a certificate as proof. For larger quantities you have it collected and destroyed, so you are rid of it with peace of mind.
Want to have confidential documents destroyed? Request a quote via desnipperaar.nl or read how to have paper shredded. Within 5 minutes you have a fixed price.