HomeKnowledge base › Funeral directors and record destruction
Funeral

Funeral directors: destroying records confidentially

Funeral files with data of the deceased and next of kin ready for confidential destruction

A funeral home works with files that are among the most personal there are: data of a deceased person, of the next of kin and the person commissioning it, wishes about faith and farewell, medical information and payment data. A special question surrounds these files, because the GDPR applies to living persons and not to the deceased. Yet a funeral file is far from GDPR-free. This guide shows what does and does not fall under it, which retention periods apply and how to destroy the files confidentially.

The quick answer: data of only a deceased person strictly falls outside the GDPR, but a funeral file always contains data of next of kin and the person commissioning it, and that is personal data. The administration you keep for seven years for the tax retention obligation, the substantive file while there is a reason. What may go disappears confidentially and with a certificate.

The GDPR and the deceased

The GDPR protects the personal data of living persons. Data that concerns only a deceased person strictly falls outside it. In practice that distinction is less sharp than it seems, because a funeral file rarely concerns only the deceased. The person commissioning it, the next of kin, the contacts and sometimes an executor are all in it, and their data is simply personal data.

In addition, much data about a deceased person indirectly touches living persons too. Information about a hereditary condition says something about family members, and family relationships concern more than one person. So treat a funeral file as a whole with care, regardless of the theoretical line. That way you do justice to the next of kin and avoid risks.

Retention periods by part

The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from the completion of the commission.

PartStarting pointPeriod
Invoicing and administrationTax retention obligation7 years
Commission and next-of-kin contact dataWhile there is a reasonpurpose-bound
Wishes about faith and farewellSpecial-category datadestroy finely
Medical informationSpecial-category datadestroy finely
Insurance and payment dataUntil settlement+ tax period
Correspondence and draftsNo retention obligationclear out at once

Use this as a guideline, not a final legal ruling. When in doubt about a specific file, consult your trade association or adviser. The tax side is in the 7-year tax retention obligation.

Sensitive wishes and medical information

A funeral file often contains data about faith, belief and the health of the deceased or the next of kin. That is special-category personal data, with stricter rules. It should be secured separately, accessible only to those who need it, and as soon as it is no longer needed it disappears at a fine level. That way you do justice to the sensitivity of the moment.

Keep this data recognisably separate within the file. That way you avoid the whole file inheriting the longest period of its most sensitive part, and you can clear out the special data specifically as soon as the commission is completed and there is no reason to keep it.

Next of kin and aftercare

After the funeral, contact with next of kin often continues for a while, for aftercare, a memorial moment or the settlement of an insurance policy. As long as there is a concrete reason for it, you may keep the contact data. If that reason lapses, this part too should be cleared out. Keeping it to be able to send something one day is not a valid ground under the GDPR.

Be extra careful here, because next of kin are vulnerable and expect you to handle their data as you handled the funeral. An old file that surfaces where it should not is not only a data breach but also a breach of trust.

How to handle it in 6 steps

  1. Split the file into administration, commission data, special data and correspondence.
  2. Clear out drafts and correspondence without a retention obligation confidentially at once.
  3. Treat faith and medical data separately and at a fine destruction level.
  4. Assess per file whether there is still a reason to keep it.
  5. Collect what may go in sealed containers, not in the paper bin.
  6. Have it destroyed confidentially with a certificate and record it in your register.

Destroy confidentially with a certificate

Funeral files are destroyed confidentially at a fine level, because they contain special data and payment data. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old computer or backup with files belongs with it too.

Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof that you acted carefully, towards the GDPR where the next of kin are concerned. Record the destruction in your GDPR administration. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.

Funeral files to be destroyed?

Tell us what you have and you get a fixed price. We collect it sealed, destroy it at a fine DIN level and you receive a certificate. No call-out charge within 20 km of Amsterdam.

Request a quote

Common mistakes

  • Thinking a funeral file is GDPR-free. The data of next of kin and the commissioner does fall under the GDPR.
  • Keeping the whole file for the same period. Administration, commission and special data have different periods.
  • Treating faith and medical data as ordinary paper. That is special data.
  • Throwing away unshredded. A funeral file on the street is a data breach and a breach of trust.
  • Keeping no proof. Without a certificate you cannot demonstrate the destruction.

Frequently asked questions

Does data of a deceased person fall under the GDPR?

The GDPR applies to living persons, so data of only a deceased person strictly falls outside it. A funeral file, however, always contains data of next of kin and the person commissioning it, and that is personal data. So treat the file as a whole with care.

How long does a funeral home keep a file?

Invoicing and administration fall under the seven-year tax retention obligation. The substantive commission file you keep while there is a reason, such as aftercare or a running matter, and clear out afterwards.

Are wishes about faith or belief sensitive data?

Yes. Data on faith, belief or the health of next of kin is special-category personal data. It requires extra care and destruction at a fine level as soon as it is no longer needed.

How do I destroy funeral files confidentially?

Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and the destruction is recorded in the record of processing.

Conclusion

A funeral file is among the most personal there is, even though the deceased strictly falls outside the GDPR. The next of kin and commissioners do fall under it, and much data indirectly touches living family members. Keep the administration seven years, treat faith and medical data separately, clear out as soon as there is no longer a reason and do so confidentially. Close every destruction with a certificate. That way you handle the data as the next of kin may expect of you.

Read also: energy and utilities: destroying customer data, security firms: destroying screening and incident reports, debt counselling and administration: destroying client files and the GDPR retention periods cheatsheet.


Have funeral files collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.