HomeKnowledge base › Payroll records retention and destruction
HR

Payroll records retention and destruction: periods and the GDPR

Payroll records retention and destruction under tax law and the GDPR

Payroll records are among the most sensitive stacks of paper in any company. Payslips, year-end statements, citizen service numbers, bank details and copies of identity documents are all in there. You must keep that data for a number of years for the tax authority, but once the period has passed the GDPR requires you to clear it out. This article sets the retention periods in a row and shows how to destroy payroll records confidentially afterwards, with a certificate as proof.

The question of how long you must keep the salary administration looks simple, but the answer differs per component. Part of it falls under the standard 7-year tax retention rule. For the wage-tax statement the period is five years. For the copy of the identity document also five years, but counted from a different moment. Anyone who mixes up those periods keeps records too long or throws them out too early.

What do payroll records contain?

Payroll administration is more than a stack of payslips. It is the whole set of data needed to pay wages and remit wage taxes. In practice it holds a broad range of documents, often the most personal data of your employees:

  • Payslips and wage statements per employee
  • Year-end statements and the annual wage summary
  • The wage-tax data form (formerly the wage-tax statement)
  • Copies of identity documents
  • The citizen service number of every employee
  • Bank details for the salary payment
  • Terms of employment that set the wage, such as contract hours and allowances
  • Settlements of travel costs, pension premiums and leave hours

Each of these pieces contains personal data. Some, such as the citizen service number and the copy of the identity document, count as highly sensitive.

Why payroll records are extra sensitive

Wage data is worth gold to fraudsters. With a citizen service number, a name and a bank account number someone can commit identity fraud or make a phishing attack believable. A payslip also reveals what someone earns, information nobody wants lying around on the street. The citizen service number is a unique number tied to the government. That is exactly why you may only process it where the law allows. Payroll administration is such a place, but only as long as there is a legal basis. Once the basis disappears, the number must go.

For the tax authority you must keep. For the GDPR you must clear out as soon as keeping is no longer needed. The art lies in the right moment.

The 7-year tax retention rule

The core of retention is in article 52 of the Dutch General Tax Act. That article requires those with an administration duty to keep their records for seven years. Payroll administration is explicitly placed under this, because it belongs to the basic administration the tax authority may inspect. Wage tax and contributions fall under that wage-tax retention duty.

The seven years means you must keep the wage statements, the remittances and the underlying documents available for a possible inspection. The period runs until the tax authority can no longer impose an additional assessment. Only after that may the tax side of the payroll administration go. A full explanation of that period is in the 7-year tax retention obligation, which also covers when a period of nine or ten years applies.

The 5-year rule for the wage-tax statement

Alongside the seven years there is a shorter, specific period that many employers overlook. For the wage-tax data form, formerly called the wage-tax statement, a retention period of five years after the end of employment applies. This form holds the data with which you determine whether you apply the payroll-tax credit and at which rate you withhold.

The same five years applies to a few related wage-tax documents directly tied to an employee. The key point is that this period only starts running once the employee has left, not from the calendar year. A statement from an employee who left in 2024 may therefore only go in 2030. Anyone who mixes up the seven years and the five years keeps these forms either too long or too short.

The ID copy: 5 years after employment ends

The copy of the identity document deserves its own mention. You are required to establish an employee's identity on starting employment and to keep a copy of a valid identity document in the payroll administration. That copy must be kept until five years after the end of employment.

Note the difference with other periods. Here the five years starts at the end of employment, not at the year of the copy. As long as someone is employed the copy stays on file, even after fifteen years of service. Only five years after departure does the legal basis lapse and must the copy be destroyed. An ID copy is moreover highly sensitive. Keeping it longer than allowed is a double risk here, as there is then no ground either for tax or for privacy.

Retention periods in a row

The table below summarises the main periods. Use it as a reference for your annual clear-out round.

Payroll componentRetention periodBasis
Wage statements, payslips, remittances7 yearsArt. 52 AWR
Year-end statements and annual wage summary7 yearsArt. 52 AWR
Wage-tax data form (wage-tax statement)5 years after employment endsWage Tax Act
Copy of identity document5 years after employment endsWage Tax Act
Citizen service number registrationAs long as a basis existsGDPR art. 5 / Wage Tax Act
Bank account for salaryUntil payment settled, 7 years for taxGDPR art. 5 / Art. 52 AWR

The periods vary, but the rule behind them is always the same. As long as there is a tax or legal ground, you keep. Once that ground falls away, you clear out. A broader overview of periods for all kinds of data is in the GDPR retention periods cheatsheet.

When does the period start running?

The starting point of a period decides whether you clear out on time. For the tax seven years the period starts on 1 January of the year following the financial year. For the five years of the wage-tax statement and the ID copy the end of employment is the starting point.

The practical advice is to note the relevant end dates at every departure. That way you know per employee exactly when which component may go. Link those dates to a fixed annual clear-out round, for example after the year-end close. Anyone who does not track this keeps old files endlessly out of caution. Caution alone, however, is not a valid GDPR ground.

Digital payroll records also kept and destroyed

Many employers now run their payroll administration digitally. The retention periods do not change because of this. A digital wage statement falls under the same seven years as a paper version. A scanned ID copy falls under the same five years. The difference is in the destruction. Deleting a file and emptying the recycle bin is not the same as destroying, because the data is then still on the drive.

Only when the drive is overwritten or physically destroyed is a digital payroll file truly gone. With a salary package in the cloud you record in the data processing agreement that the supplier deletes the data after the period. If you keep backups on your own drives or USB sticks, those data carriers belong in the same destruction process as the paper.

Keeping for tax versus clearing out for the GDPR

The tension between the tax authority and the GDPR comes out sharply with payroll records. The tax office wants you to keep, the privacy law wants you to clear out. Those two do not clash, they follow one another. During the retention period keeping is required and clearing out is not allowed. After the period keeping is no longer allowed and clearing out becomes required.

The storage limitation principle of article 5 of the GDPR says you do not keep personal data longer than needed. A wage statement past its seven years has no purpose left. Keeping it longer is then a breach, however well meant. The destruction duty is the closing piece that the pillar guide on destroying the personnel file covers in detail.

Confidential destruction of paper at P-5

Once the period has passed, payroll records may go, but not just anyhow. Throwing payslips and ID copies in the paper recycling is a data breach you must report to the data protection authority. The GDPR asks in article 32 for appropriate measures. That obligation runs until the paper is made illegible.

In practice you fall back on the DIN 66399 standard, which sets security levels for paper destruction. Because payroll records contain citizen service numbers and ID copies, P-5 is the minimum, the same level recommended for special categories of personal data.

LevelParticle sizeSuitable for
P-4Small particlesGeneral office documents with ordinary data
P-5Very small particlesPayroll records, ID numbers, ID copies
P-6 / P-7Micro particlesGovernment and strictly secret documents

A cheap office shredder usually does not reach P-5. For an annual stack of payroll records, outsourcing to a certified party is usually the safest choice.

Destroying data carriers with wage data

Wage data is not only on paper. It sits on the hard drives of old computers, on USB sticks with backups and in exports from a salary package. Those data carriers ask for the same careful ending as the paper.

The practical advantage is that paper and data carriers can come in the same collection, each destroyed to the right level. For data carriers the serial numbers are stated on the certificate, so the proof is traceable to the specific carrier. That way you cover the whole flow of wage data at once, on paper and digital.

The certificate of destruction as proof

Destroying is an action, but the GDPR asks that you can also show it. The accountability principle of article 5(2) means you must be able to show that old payroll records were cleared out neatly. The proof for this is the certificate of destruction.

The certificate states the date, the quantity and the DIN level applied, for data carriers supplemented with the serial numbers. Keep the certificate for at least five years in your GDPR file, preferably digitally in a fixed place. If a question ever comes from the tax authority, the data protection authority or a former employee, you show in a few minutes that the data was destroyed. Without that proof it remains good intentions, which do not count in an inspection.

Sealed collection within 20 km of Amsterdam

Demonstrable destruction already begins at collection. If the payroll records are taken away sealed and the chain from collection to destruction stays closed, there is no moment where a file goes missing. That makes the proof stronger.

We work with a collection service within a radius of 20 km around Amsterdam, with no call-out fee in that area. There is no walk-in and no drop-off, everything runs through the collection. Outside Amsterdam we work nationwide via pooled collection rounds, where several jobs in a region are combined into a fixed price. That way confidential destruction stays affordable outside the city too.

What does destroying payroll records cost?

The price is fixed and known in advance. You pay per box or roll container, from about 30 euro for the first box, with the certificate included. Data carriers are settled per item, with serial-number registration. Within 20 km of Amsterdam we charge no call-out fee. There is no contract and no subscription, you pay only for what you have destroyed.

So the proof costs nothing extra. Demonstrable destruction is no more expensive than ordinary destruction, the difference is in the certificate you keep. The full pricing with worked examples is in archive destruction cost.

Steps to a cleared-out payroll administration

  1. Inventory per employee. Note the start and end dates of employment and determine the period per component.
  2. Select what may go. Use the table above. Wage statements after 7 years, wage-tax statement and ID copy 5 years after departure.
  3. Plan a fixed clear-out round. Preferably after the year-end close, so it becomes a habit.
  4. Have it collected and destroyed at P-5 at least, paper and data carriers together.
  5. Keep the certificate for at least 5 years in your GDPR file and note the destruction in your record of processing.

Have payroll records destroyed with a certificate?

Tell us what you have and you get a fixed price. We collect it sealed, destroy it at DIN 66399 P-5 and you receive a certificate as proof for your GDPR file. No call-out fee within 20 km of Amsterdam.

Request a quote

Frequently asked questions

How long must I keep payroll records?

The core of the payroll administration falls under the 7-year tax retention rule of article 52 AWR. For the wage-tax statement and the wage-tax data form a period of 5 years after the end of employment applies.

How long may I keep a copy of an identity document?

You must keep the copy of the identity document until 5 years after the end of employment. After that the legal basis lapses and you must destroy the copy.

May I put old payslips in the paper recycling?

No. Payslips contain a citizen service number, wage data and bank details. Throwing them out unshredded is a data breach. Have them destroyed confidentially at DIN 66399 P-5 at least.

Which DIN level is needed for payroll records?

Because payroll records contain identity numbers, P-5 is the practical minimum. That is the same level recommended for special categories of personal data.

How do I prove payroll records were destroyed?

With a certificate of destruction stating the date, quantity and DIN level. Keep that certificate for at least 5 years in your GDPR file as proof for the accountability principle.

Conclusion

Keeping and destroying payroll records comes down to the right moment. The tax retention rule holds the core for seven years, while the wage-tax statement and the ID copy may stay five years after departure. Once those periods have passed, the GDPR requires you to clear out. By noting the end dates per employee and clearing out yearly, you never keep too long and never throw out too early. Have old payroll records destroyed confidentially at P-5 and keep the certificate as proof. That way you keep both the tax authority and the data protection authority satisfied.

See also the pillar guide on destroying the personnel file and the related articles on how long to keep a personnel file, applicant data retention and destruction and the offboarding checklist.


Have payroll records destroyed? Request a quote via desnipperaar.nl. We collect sealed, destroy at P-5 and you receive a certificate as proof for your GDPR file.