Insurance brokers: destroying client files
An insurance broker manages the full picture of a client. Policy files, claim and loss data, payment data and, for life and health insurance, health data too. Part falls under the retention duty of the Wft, part under the tax rules and part should be kept as briefly as possible. This guide shows, by part, what you keep, when it may go and how to destroy it confidentially.
The short answer runs as follows. The core of the advice and intermediation file you keep under the Wft usually five years, the financial administration seven years under the tax retention obligation. Health data and other client data you keep no longer than necessary for the advice and the running policy. What may go disappears confidentially and with a certificate.
Three frameworks: Wft, tax and GDPR
At a brokerage three frameworks run together. The Wft requires a file that records the advice and the intermediation, with its own retention period of usually five years. The tax retention obligation means your administration is kept for seven years. The GDPR also requires not keeping personal data longer than necessary. The first two frameworks set the floor for what you must keep, the GDPR the ceiling for what you may not keep too long.
So treat the client files per type. An advice note has a different status than a copy of a policy schedule, a claim notification or a health declaration. If you make that distinction, you keep exactly what you must and clear out the rest on time. More on the basics is in keeping Wft files for 5 years.
Retention periods by part
The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the Wft period from the end of the service or the policy.
| Part | Starting point | Period |
|---|---|---|
| Financial administration and commission | Tax retention obligation | 7 years |
| Advice and intermediation file | Wft duty of care | usually 5 years |
| Client investigation and identification | Wwft | 5 years after the relationship ends |
| Claim and loss data | Until settlement and tax | purpose-bound + 7 years |
| Insurance health data | Special-category, storage limitation | as briefly as possible |
| Correspondence and drafts | No retention obligation | clear out at once |
Use this as a guideline, not a substitute for your own policy. When in doubt, consult your compliance function or privacy adviser. The investigation of the client has its own period, which you find in Wwft: keeping client investigation for 5 years.
Health data: special-category personal data
Life and health insurance bring sensitive information past. A health declaration, a medical substantiation with a claim or a screening result touches on health data. That is special-category personal data, for which the GDPR sets stricter requirements. Keep that information recognisably separate from the ordinary administration, use it only for the advice or the running policy and clear it out afterwards. Keeping it because it may come in handy one day is not a valid ground.
Be restrained with a copy of an identity document too. Such a copy contains a national ID number and a photo and is sensitive. Note only what you actually need and do not keep loose copies longer than necessary. Whatever you did have on paper you clear out confidentially.
Clearing out after the policy
Once a policy stops, the purpose of the file shifts. The duty of care runs on for a number of years and the administration stays kept for tax, but many loose documents no longer have a ground. Settled claim and loss data, old quotes and expired health declarations can go once the period has passed and no complaint or dispute is in play. The settlement of claims and policies at the insurer itself is in insurers: destroying claim and policy files.
If you work with external parties that process files, you record the agreements on keeping and destruction. What that looks like you read in the processor agreement checklist.
How to handle it in 6 steps
- Split the data into administration, advice file, client investigation and health data.
- Limit identity data to what you actually need.
- Treat health data separately and clear it out after the advice or the policy.
- Keep to the Wft and tax periods per type of file.
- Collect what may go in sealed containers, not in the paper bin.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
Client files are destroyed confidentially, because they contain identity, financial and sometimes health data. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old office computer or backup with policy files belongs with it too.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Client files to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Treating health data as ordinary paper. Special-category data needs extra care.
- Keeping policy files forever. After the Wft and tax period the ground lapses.
- Collecting copy IDs. Note only what you actually need.
- Throwing away unshredded. A policy file on the street is a reportable data breach.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
How long must an insurance broker keep a client file?
The core of the advice and intermediation file you keep under the Wft usually five years, counted from the end of the service. The financial administration falls under the seven-year tax retention obligation. Other client data you keep no longer than necessary.
May I keep health data from a life or health insurance policy?
Health data is special-category personal data and calls for extra restraint. Keep it only as long as it is needed for the advice or the running policy and clear it out confidentially afterwards. Keep it recognisably separate from the ordinary administration.
What do I do with a policy file after the insurance ends?
Keep what the Wft and the tax rules require and clear out the rest. Once the retention period has passed and no complaint or dispute is in play, you have the file destroyed confidentially.
How do I destroy client files in line with the GDPR?
Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and the destruction is recorded in the record of processing.
Conclusion
An insurance broker works with identity, financial and sometimes health data of every client, between the Wft, the tax retention obligation and the GDPR. Keep the advice file for the Wft period, keep the administration seven years and be restrained with health data and identity copies. Whatever no longer has a ground after the policy you clear out. Have it destroyed confidentially with a certificate as proof. That way you meet all the frameworks and protect your clients' data.
Read also: tax advisers: destroying client files, payroll bureaus: destroying wage data, credit intermediaries: destroying client files and the GDPR retention periods cheatsheet.
Have client files collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.