DPIA and archive destruction: does destruction belong in a DPIA?
A Data Protection Impact Assessment (DPIA) sounds heavy, but is essentially a structured risk analysis for high-risk processing. Destruction itself is generally not the trigger for a DPIA, but the earlier phase, retention, may be. And even if no formal DPIA is required, the DPIA questions are a good framework for archive and destruction policy. This article shows when what is required and how to fill it in meaningfully.
When is a DPIA mandatory?
GDPR article 35 requires a DPIA for processing with ‘likely high risk to the rights and freedoms of data subjects’. The Autoriteit Persoonsgegevens published a list of mandatory categories, including:
- Large-scale processing of special categories of personal data.
- Systematic monitoring (camera, location, behaviour).
- Profiling with legal consequences.
- Processing of data of vulnerable groups (children, patients).
- Use of new technologies with unknown risks.
An average SME that retains customer administration and eventually destroys it has no DPIA obligation. A hospital that archives 10,000 patient files does.
Where does destruction touch the DPIA?
Destruction itself is a risk-mitigating step, not a risk-increasing one. The DPIA relevance comes into view in three places:
- Retention duration and archive storage. The longer you retain, the greater the cumulative risk. The DPIA explicitly assesses whether the retention period is proportionate.
- Security of the archive. Access control, room security, chain of custody. This falls under ‘technical and organisational measures’.
- Destruction method and proof. Which DIN classification, which provider, which certificate. This you show as the watertight closure of the life cycle.
Template: destruction in the DPIA form
Most DPIA forms have a section ‘life cycle and disposal’. Fill in at minimum:
| Field | Example value |
|---|---|
| Retention period | 5 years after the end of the treatment relationship |
| Legal basis for the period | WGBO art. 7:454 BW (medical files up to 20 years; 5 years for closed cases) |
| Trigger | Date of last consultation or signing of file closure |
| Destruction method | On-site paper shredder DIN P-5; HDDs at DIN H-5 |
| Provider | DeSnipperaar (processor agreement in place) |
| Certificate retention | 5 years in compliance archive |
| Residual risk after destruction | Negligible; reconstruction mathematically infeasible |
Risk analysis: three scenarios
Scenario 1: Loss in the archive cabinet (internal)
- Likelihood: low (locked cabinet, limited access).
- Severity: medium (depending on content).
- Measure: access log, annual audit.
Scenario 2: Loss during transport to the shredder
- Likelihood: low with on-site destruction (no external transport step), higher with offsite.
- Severity: medium-high (bulk lost in one go).
- Measure: choose on-site destruction, read on-site versus offsite shredding.
Scenario 3: Insufficient fineness of destruction
- Likelihood: low at DIN P-5, almost zero at P-6.
- Severity: low-medium (reconstruction takes much effort).
- Measure: choose appropriate DIN level, demand it on the certificate.
The DPIA is not a fill-in exercise; it is a framework that forces you to name risks and corresponding measures honestly.
Mitigating measures: a list
- Retention periods set and automated in the archive system.
- Access control on the archive cabinet (key, log).
- Processor agreement with the destruction provider (read the checklist).
- On-site destruction for the shortest chain.
- DIN P-5 as standard, P-6 for special categories.
- Certificate with date, method and classification.
- Certificate kept for 5 years.
Broader context: destruction is risk-reducing
A DPIA team can be tempted to frame destruction as ‘risk-introducing’ (transport movements, provider access). That is true at the level of ‘extra chain step’, but misleading at the level of cumulative risk over the life cycle. A file that sits in an archive cabinet for 30 years has a much higher chance of loss than a file that is properly destroyed after 5 years. The DPIA must acknowledge this cumulative effect.
For sectors with regular DPIA obligation
Sectors where DPIA is common have specific points:
- Healthcare: WGBO 20 years standard; read WGBO and patient files.
- Education: student files; read schools and student files.
- HR/recruitment: candidate files; read candidate files.
- Financial: Wft and MiFID files; read MiFID II archive.
When is a DPIA not mandatory but useful?
- On relocation or merger: cumulative processing of archives.
- On switching to a new destruction provider: chain impact.
- On the introduction of new media types (e.g. cloud backups that also exist physically).
- On a large one-off clear-out: temporarily elevated risk during execution.
Destruction evidence for your DPIA file.
We provide a processor agreement plus certificate per order as standard. Ready to paste directly into your DPIA appendix.
Request a quoteWorking on a DPIA? Email us via desnipperaar.nl; we are happy to share a template row for the destruction section.