Equipment rental: destroying contracts and customer data
An equipment rental company works with the data of every renter. Name and address on the rental contract, sometimes a copy of an identity document and deposit data as security, damage and incident files when something breaks, payment and invoice data, and CCTV footage of the yard. Part falls under the tax retention obligation, part you keep only as long as the rental runs and the settlement. This guide shows, by part, what you keep, when it may go and how to have it destroyed confidentially.
The quick answer. The invoicing and administration you keep for seven years because of the tax retention obligation. Rental contracts, deposit data and any ID copy you keep no longer than needed for the rental and the settlement. Damage files you keep as long as liability is in play. What may go disappears confidentially and with a certificate.
Two frameworks side by side
At a rental company two things run together. The tax retention obligation requires you to keep the administration for seven years, with invoices and payment data as part of it. Alongside this the GDPR applies, which requires not keeping personal data longer than necessary. The tax obligation sets the floor for the administration, the GDPR the ceiling for all customer data that you may not keep too long.
So treat the data per type. A rental contract with only name and address has a different status than an ID copy or a damage file with photos. If you make that distinction, you keep exactly what you must and clear out the rest on time. This is the same consideration as with car rental and leasing companies, where the contract and the deposit are equally central.
Retention periods by part
The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from the end of the rental contract.
| Part | Starting point | Period |
|---|---|---|
| Invoicing and administration | Tax retention obligation | 7 years |
| Rental contract and customer data | As long as rental and settlement | purpose-bound |
| ID copy and deposit data | As limited as possible | only what is needed |
| Damage and incident files | Until liability lapses | purpose-bound |
| Yard CCTV footage | Storage limitation | a few weeks |
| Correspondence and drafts | No retention obligation | clear out at once |
Use this as a guideline, not a substitute for your own assessment per file. When in doubt, consult your privacy adviser. The tax side is set out in the 7-year tax retention obligation. A complete overview is in the GDPR retention periods cheatsheet.
ID copies and deposit data with restraint
Many rental companies ask for an identity document and a deposit for the more expensive machines. That is understandable, but it does not mean you may keep a full copy of a passport. An ID copy contains a national ID number, a photo and more than you need, and is therefore sensitive. Record only the data you need to be able to hold the renter accountable and keep no single copies longer than necessary. Whatever you did have on paper you clear out confidentially.
That way you avoid managing a mountain of identity data you did not actually need. How to handle an ID copy when you do process it is explained in safely destroying a passport and ID copy. The deposit data you keep until the deposit has been refunded and no damage claim is still running. After that the purpose lapses and you clear them out.
Damage and incident files
If something breaks or damage occurs, you record it in a file with photos, a description and sometimes an insurance matter. Such a file you keep as long as liability is in play and a claim or dispute can still follow. Once the matter has been settled and the statutory limitation period has passed, the purpose lapses. Keep these files recognisably separate from ordinary rentals, because they often contain more personal data and sometimes sensitive details.
Keeping something to come in handy one day is not a valid ground. An expired damage file therefore belongs with the paper that is destroyed confidentially, not in a drawer that stays put for years.
CCTV footage on the yard
A rental company with an outdoor yard often installs cameras against theft of machines. That footage is personal data and falls under storage limitation. Do not keep it longer than needed for the purpose, in practice often a few weeks, unless a concrete incident has been recorded that you still need. Old footage and old recording equipment you clear out just as carefully as paper. This also plays a role with self-storage and customer contracts, where CCTV footage and contracts sit together on the site.
How to handle it in 6 steps
- Split the data into administration, rental contract, deposit and damage file.
- Limit ID copies and deposit data to what you really need.
- Treat damage files separately and clear them out when liability lapses.
- Set a period for CCTV footage and delete it automatically.
- Collect what may go in sealed containers, not with the waste paper.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
A rental company's customer data you have destroyed confidentially, because it contains identity, deposit and payment data. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old front-desk computer, a hard drive from the camera system or a backup with rental contracts belongs with it too.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Customer data to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Keeping ID copies. Record only what you need to hold the renter accountable.
- Keeping rental contracts endlessly. After settlement and the tax period the purpose lapses.
- Treating damage files as ordinary paper. Those need extra care and a separate period.
- Keeping CCTV footage indefinitely. Set a period and delete old footage.
- Throwing away unshredded. A rental contract with an ID copy on the street is a reportable data breach.
Frequently asked questions
How long must a rental company keep rental contracts?
The invoicing and administration fall under the seven-year tax retention obligation. The rental contract itself you keep as long as the rental runs and the settlement is still in play. Once the deposit and payment have been settled and there is no dispute, the purpose lapses.
May I keep a copy of a renter's identity document?
Be restrained here. An ID copy contains a national ID number and photo and is sensitive. Record only what you really need to be able to hold the renter accountable and keep no full copy longer than necessary.
How long do I keep deposit and payment data?
Payment and invoice data fall under the seven-year tax administration. The deposit data you keep until the deposit has been refunded and no damage claim is still running, after which you clear them out.
How do I destroy customer data in line with the GDPR?
Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and the destruction is recorded in the record of processing.
Conclusion
An equipment rental company works with identity, deposit and payment data of every renter, between the tax retention obligation and the GDPR. Keep the administration for seven years, keep rental contracts only as long as the rental and settlement run and be restrained with ID copies. Damage files and CCTV footage you clear out as soon as the purpose lapses. What may go you have destroyed confidentially with a certificate as proof. That way you meet both frameworks and protect your customers' data.
Read also: manufacturers: destroying business data, cleaning companies: destroying customer data, catering companies: destroying customer data and the GDPR retention periods cheatsheet.
Have customer data collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.