Manufacturers: destroying business data
A manufacturer manages far more than machines and stock. In the offices and on the shop floor lie personnel and payroll administration, R&D documents and product secrets, quality and supplier files, customer and order data and a growing pile of old data carriers and prototypes. Part falls under a statutory retention obligation, part is competition-sensitive and part should be kept as briefly as possible. This guide shows, by type, what you keep, when it may go and how to have it destroyed confidentially.
The quick answer: the financial administration you keep for seven years, personnel and payroll data have their own periods and R&D and product secrets you keep as long as they are relevant. What may go disappears confidentially and with a certificate, not into the paper bin on the shop floor.
Two frameworks: retention obligation and GDPR
At a manufacturer two things run together. The tax and administrative retention obligation determines what you must keep at a minimum. The GDPR determines that you do not keep personal data longer than necessary. The retention obligation forms the floor, the GDPR the ceiling. Between them sits a third interest that weighs heavily in industry. Your trade secrets and technical knowledge you want to protect from unwanted eyes.
So treat the data by type. A payslip has a different status than a production drawing or a supplier file. If you make that distinction, you keep exactly what you must and clear out the rest on time and safely.
Retention periods by component
The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from the moment the purpose has been reached.
| Component | Starting point | Period |
|---|---|---|
| Financial administration | Tax retention obligation | 7 years |
| Payroll administration | Tax and payroll tax | 5 to 7 years |
| Personnel file | GDPR, purpose-bound | usually 2 years after leaving employment |
| R&D and product secrets | Commercial interest | as long as relevant |
| Quality and supplier files | Contract and standard | term + warranty |
| Customer and order data | Performance and tax | purpose-bound + 7 years |
Use this as a guideline, not as a substitute for your own sector rules or contracts. When in doubt, consult your accountant or privacy adviser. The tax side is worked out in the 7-year tax retention obligation and the complete overview is in the GDPR retention periods cheatsheet.
Personnel and payroll administration
The shop floor produces a lot of personal data. Employment contracts, payslips, absence overviews, evaluations and copies of diplomas. The payroll side has tax periods, the personnel file falls under the GDPR and usually goes a few years after leaving employment. A payroll tax statement and identity document have their own period. Keep those components separate and clear out per employee what has reached its purpose. How exactly to build this up you read in the retention period of the personnel file.
R&D, product secrets and prototypes
Here sits the core of a manufacturer. Drawings, recipes, test results, calculations and prototypes represent years of investment. These documents rarely fall under a statutory retention obligation, but the damage from a leak is great. An old production drawing in the recycling can end up with a competitor. So treat R&D material as confidential, keep it as long as it is relevant and then have it destroyed in a controlled way. That also applies to physical prototypes and models that reveal your design. With counterfeiting and brand protection the same logic applies, as described in counterfeit and brand protection.
How to handle it in 6 steps
- Split the data into administration, personnel, R&D, quality and orders.
- Keep to the retention obligation for the financial and payroll administration.
- Mark R&D and product secrets as confidential and keep them out of the recycling.
- Clear out customer and order data as soon as performance, warranty and the tax authorities allow.
- Collect what may go in sealed containers, including old data carriers and prototypes.
- Have it destroyed confidentially with a certificate and record it in your register.
Have it destroyed confidentially with a certificate
Business data you have destroyed confidentially, because it contains personal, financial and competition-sensitive information. The paper and the data carriers travel sealed and stay that way until destruction, so the chain is closed. An old production server, a backup drive or a prototype with your design belongs with it too. On the shop floor such material otherwise easily disappears uncontrolled. More background on paper is in confidential paper destruction for businesses.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR and your own quality system that you acted carefully. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Business data to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- R&D drawings with the recycling. Product secrets should be destroyed confidentially.
- Leaving old data carriers lying around. A written-off server or drive often still contains everything.
- Keeping personnel files endlessly. After the period the ground to keep them lapses.
- Forgetting supplier files. Price agreements and contracts are confidential too.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
How long must a manufacturer keep its administration?
The financial administration falls under the seven-year tax retention obligation, counted from the end of the financial year. Personnel and payroll data have their own periods. R&D documents you keep as long as they are commercially or legally relevant and then clear out confidentially.
May I simply throw away R&D documents and product secrets?
No. Drawings, recipes and test results are competition-sensitive and do not belong with the recycling. Have them destroyed confidentially with a certificate, so that the knowledge does not end up outside your company.
How long do I keep customer and order data?
The part that belongs to the invoicing falls under the seven-year tax rule. Other order and contact data you keep no longer than needed for performance, warranty and any liability.
How do I destroy old data carriers and prototypes in line with the GDPR?
Sealed and with a certificate of destruction. Hard drives, backups and prototypes travel sealed and the destruction is recorded in the record of processing.
Conclusion
A manufacturer works with personal, financial and competition-sensitive data, between a retention obligation and the GDPR. Keep the administration for seven years, clear out personnel files after the period and treat R&D and product secrets as confidential as long as they live. Customer and order data go once performance and the tax authorities allow. Do not forget the old data carriers and prototypes. What may go you have destroyed confidentially with a certificate as proof. That way you meet the rules and protect the knowledge that sets your company apart.
Read also: cleaning companies: destroying customer data, catering companies: destroying customer data, equipment rental: destroying customer data and the GDPR retention periods cheatsheet.
Have business data collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.