HomeKnowledge base › Payroll bureaus and wage data
HR

Payroll bureaus: destroying wage data

A payroll bureau's payslips and wage files ready for confidential destruction

A payroll bureau works with the most sensitive personnel data there is. Payslips, annual statements, a copy of the identity document, the BSN and complete wage files of every employee you pay for your clients. Part falls under the tax retention obligation, part under the payroll records' own period and part should be kept as briefly as possible. This guide shows, by part, what you keep, when it may go and how to destroy it confidentially as a processor.

In short you keep the core payroll records for five years after the end of employment and the tax administration for seven years. Payslips, annual statements and a copy ID fall within those periods. Whatever lies outside them you keep no longer than necessary. Everything that may go disappears confidentially and with a certificate.

Two frameworks that run together

At a payroll administration two things run together. The tax retention obligation requires you to keep the payroll records for a number of years, with its own period for the core payroll records. Alongside this the GDPR applies, which requires not keeping personal data longer than necessary. The retention obligation sets the floor for what you must keep, the GDPR the ceiling for what you may not keep too long.

So treat the wage data per type. An annual statement has a different status than a draft payslip or an old export from your software package. If you make that distinction, you keep exactly what you must and clear out the rest on time. The main lines of keeping and destroying payslips are in payroll records retention and destruction.

Retention periods by part

The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the payroll periods from the end of employment.

PartStarting pointPeriod
Core payroll recordsWage-tax rules5 years after end of employment
Tax administrationTax retention obligation7 years
Copy of identity documentEmployer obligation5 years after end of employment
Payslips and annual statementsPart of payroll recordswithin the periods
Absence and health dataSensitive, storage limitationas briefly as possible
Drafts and interim filesNo retention obligationclear out at once

Use this as a guideline, not a substitute for your tax and legal advice. When in doubt, consult the tax authority or your privacy adviser. The tax side is in the 7-year tax retention obligation. How long you keep personnel data more broadly is in the retention period of the personnel file.

Copy ID and BSN in the payroll records

The employer is obliged to keep a copy of an employee's identity document in the payroll records until five years after the end of employment. As a payroll bureau you process that copy on your client's behalf. That makes your environment a collection point for copy IDs and citizen service numbers of hundreds or thousands of people at once. Handle it just as carefully as the payslips themselves.

Do not keep single copies outside the records, secure the BSN and clear out confidentially what you no longer need. The specific periods for copy ID and payroll statements, and how they differ from one another, are in copy ID and payroll statements at the staffing agency.

Processor on the employer's behalf

For the payroll records you as a payroll bureau are usually a processor. The employer is the controller and determines the purpose, you process the wage data on instruction. You set out that division of roles in a processor agreement, with arrangements on security, retention periods and destruction. Without those arrangements it is unclear who decides when which wage files may go.

In the processor agreement also record how the data is returned or destroyed at the end of the collaboration. A departing client often leaves behind an archive of wage files that you may not simply keep. What exactly belongs in such an agreement is in the processor agreement checklist.

Digital wage files and data carriers

A payroll administration has long been more than paper alone. Exports from your software package, backups, old servers, USB sticks with wage files and the laptop of a departed employee all contain wage data. Deleting digitally does not mean the data is really gone, because a wiped drive is often still readable. So treat data carriers just as strictly as the paper.

Collect written-off data carriers separately and have them physically destroyed rather than reused or thrown away. That way you prevent an old drive with a complete wage year ending up at a charity shop or on the street.

How to handle it in 6 steps

  1. Split the data into tax administration, core payroll records, copy ID and drafts.
  2. Keep the statutory periods, five years for the core records and seven years for tax.
  3. Secure the BSN and limit copy IDs to what the law requires.
  4. Set out your role as processor in a processor agreement.
  5. Collect what may go in sealed containers, not in the paper bin.
  6. Have it destroyed confidentially with a certificate and record it in your register.

Destroy confidentially with a certificate

Wage data is destroyed confidentially, because it contains identity, salary and sometimes health data. The paper and the data carriers travel sealed and stay that way until destruction, so the chain is closed. An old payroll server, a backup or an archive box with annual statements belongs with it just as much.

Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR and towards your client that you acted carefully. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.

Wage data to be destroyed?

Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.

Request a quote

Common mistakes

  • Keeping copy IDs forever. Five years after the end of employment the ground lapses.
  • Holding on to wage files of departed clients. Without a legal ground that is not allowed.
  • Simply throwing away data carriers. A wiped drive is often still readable.
  • No processor agreement. Then it is unclear who decides on destruction.
  • Keeping no proof. Without a certificate you cannot demonstrate the destruction.

Frequently asked questions

How long must a payroll bureau keep payroll records?

The core payroll records have a five-year retention period after the end of employment, the tax administration seven years. Payslips and annual statements fall within those periods. Whatever lies outside them you keep no longer than necessary.

May I keep a copy of the identity document in the payroll records?

The employer must keep a copy ID until five years after the end of employment. As a payroll bureau you process that on the employer's behalf. Do not keep single copies longer than necessary and secure the BSN.

Am I a processor or a controller as a payroll bureau?

For the payroll records you are usually a processor on the employer's behalf. Set out that division of roles in a processor agreement, including arrangements on retention periods and destruction.

How do I destroy wage data in line with the GDPR?

Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and you record the destruction in the record of processing.

Conclusion

A payroll bureau manages the wage data, identity documents and citizen service numbers of everyone it pays, between the tax retention obligation and the GDPR. Keep the core records for five years, the tax administration for seven years and secure the BSN. Set out your role as processor in a processor agreement and treat digital wage files just as strictly as paper. What may go you have destroyed confidentially with a certificate as proof. That way you meet both frameworks and protect every employee's data.

Read also: tax advisers: destroying client files, insurance brokers: destroying client files, credit intermediaries: destroying client files and the retention period of the personnel file.


Have wage data collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.