Installation companies: destroying customer data
An installation company works in people's homes and in business premises. Electrics, central heating, heat pumps, solar panels, cooling or security: on every job you record customer addresses and contact details, sometimes key and access data for a building, service and maintenance contracts, inspection and installation reports and of course quotes and invoices. Part falls under the tax retention obligation, part you keep for the warranty and part should be kept as briefly as possible. This guide shows, by part, what you keep, when it may go and how to destroy it confidentially.
The quick answer: quotes that lead to a job and all invoices you keep for seven years under the tax retention obligation. Customer addresses and installation reports you keep as long as the relationship, the warranty or an inspection period runs. Key and access data you remove as soon as the job ends. What may go disappears confidentially and with a certificate.
Two frameworks: tax retention and GDPR
At an installation company two things run together. The tax retention obligation requires you to keep quotes, invoices and the related administration for seven years. Alongside this the GDPR applies, which requires not keeping personal data longer than necessary. The tax duty sets the floor for your administration, the GDPR the ceiling for the customer and premises data you may not keep too long.
So treat the data per type. An invoice has a different status than a key code or an old installation drawing. If you make that distinction, you keep exactly what you must and clear out the rest on time. A brief look back at how long to keep documents helps to get the periods sharp.
Retention periods by part
The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from the end of the job or the warranty.
| Part | Starting point | Period |
|---|---|---|
| Quotes and invoices | Tax retention obligation | 7 years |
| Customer addresses and contact details | Purpose-bound | until end of relationship or warranty |
| Key and access data | While management runs | at once when the job ends |
| Service and maintenance contracts | Term and dispute | contract term + reasonable period |
| Inspection and installation reports | Warranty and accountability | warranty or inspection period |
| Correspondence and drafts | No retention obligation | clear out at once |
Use this as a guideline, not a substitute for your own agreements and the applicable standards. When in doubt, consult your trade association or privacy adviser. A complete overview by document type is in the GDPR retention periods cheatsheet.
Key and access data: extra sensitive
If you work with keys, key safes, alarm codes or access passes of a customer, you manage the security of that building. Such data is extra sensitive, because in the wrong hands it literally grants access. Note only what you need for the job, do not keep codes in a single notebook or a single email and remove them as soon as the management or the job ends. Whatever you had on paper, such as a printout with codes or a key plan, you clear out confidentially instead of with the paper bin.
Record internally who has access to this data and keep desks and vans empty at the end of the day. A clean desk policy with destruction prevents a key plan or address list from lying around on a workbench.
Inspection, installation and delivery reports
An installation often comes with an inspection or installation report, a measurement report or a delivery document. You keep those as long as you must be able to account for the installation and the warranty or inspection period runs. As long as a customer can still claim a warranty or an inspection must still be valid, there is a valid ground to keep the report. Once that period lapses, so does the purpose, and you clear it out confidentially.
This works much like construction, where files after delivery have their own period. Anyone working with subcontractors or main contractors will recognise the approach from UAV-GC files after delivery. Keep what you must be able to demonstrate, clear out the rest in a structured way.
Service vans, planning and customer addresses on the road
A lot of customer data travels in the van: job sheets, address lists, planning and sometimes a navigation device or tablet full of addresses. That information should not lie around loose and certainly not go with the paper bin or into a public waste bin. Collect finished job sheets in a sealed container and remove address data from equipment before you trade it in. The approach for data in and around a fleet is set out in driver data and the GDPR in your fleet.
How to handle it in 6 steps
- Split the data into administration, customer contact, key management, contracts and reports.
- Keep quotes and invoices for seven years under the tax duty.
- Remove key and access data as soon as the job or the management ends.
- Keep reports as long as the warranty or inspection period runs.
- Collect what may go in sealed containers, not in the paper bin.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
Customer data is destroyed confidentially, because it contains addresses, key and access data and sometimes financial data. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old office computer, tablet or phone with customer and address data belongs with it too.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Customer data to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Keeping key and alarm codes too long. Remove them as soon as the job or the management ends.
- Keeping reports forever. After the warranty or inspection period the purpose lapses.
- Leaving job sheets lying around in the van. Collect them sealed and destroy them confidentially.
- Throwing away unshredded. An address list or key plan on the street is a reportable data breach.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
How long must an installation company keep quotes and invoices?
Quotes that lead to a job and all invoices fall under the seven-year tax retention obligation. Customer addresses and contact details you keep as long as the relationship or a warranty runs and then clear out.
What do I do with key and access data for premises?
Key codes, alarm codes and access data are extra sensitive. Remove them as soon as the job or the management ends and never keep them longer than necessary. Whatever was on paper you clear out confidentially.
How long do I keep inspection and installation reports?
You keep reports as long as the warranty or inspection period runs and you must be able to account for the installation. After that the purpose lapses and you clear them out confidentially.
How do I destroy customer data in line with the GDPR?
Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and the destruction is recorded in the record of processing.
Conclusion
An installation company works with addresses, key and access data, contracts and reports of every customer, between the tax retention obligation and the GDPR. Keep quotes and invoices for seven years, keep reports as long as the warranty or inspection period runs and remove key and access data as soon as the job ends. What may go you have destroyed confidentially with a certificate as proof. That way you meet both frameworks and protect your customers' data and the security of their premises.
Read also: engineering firms: destroying project files, property managers: destroying tenant files, self-storage: destroying customer contracts and the GDPR retention periods cheatsheet.
Have customer data collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.
Also relevant: Equipment rental: destroying contracts and customer data and Cleaning companies: destroying customer data.