HomeKnowledge base › Pension funds and record destruction
Financial

Pension funds: destroying member data

A pension fund's member files ready for appraisal and confidential destruction

A pension fund or pension administrator manages data that lasts a whole working life and often beyond. Member data, salary and employment history, value transfers, the national ID number and sometimes health data with a disability pension. Unlike most organisations, the problem here is not that you keep it too long, but that you may not destroy it too early. This guide shows which data you keep for a long time, what you may clear out and how to destroy that part confidentially.

The quick answer: pension data often has to be kept for a very long time, because an entitlement runs until well beyond the retirement date and sometimes continues in a survivor's pension. So you keep the core of a member file for a long time. Only redundant data, such as duplicates and settled documents with no entitlement, you clear out confidentially, with a certificate as proof.

Why pension data is kept for a long time

In most sectors it is about clearing out as quickly as possible. With pensions it is different. A pension entitlement arises during working life and is only paid out decades later. After that a survivor's pension can extend the entitlement further. To be able to demonstrate in thirty or forty years what someone is entitled to, the fund must keep each member's core data all that time. Destroying too early could cost a member their accrued right.

That makes the GDPR storage limitation a subtle story here. You do not keep longer than necessary, but for pensions necessary simply means long. The art is to distinguish the core data you must keep from the redundant data that no longer serves a purpose. It is that latter part that is a candidate for destruction.

Which member data do you keep for a long time?

The data that underpins the pension entitlement you keep for as long as that entitlement exists. This is the core of the member file, for active members, former members with a paid-up entitlement, pensioners and survivors. As long as a right or a possible future payment is attached, there is a valid purpose to keep it.

  • Personal and identification data, including the national ID number.
  • The accrual and employment history that underpins the entitlement.
  • Value transfers with a running consequence.
  • Data on commenced payments and survivor's pension.

The administration itself also falls under the seven-year tax retention obligation, as described in the 7-year tax retention obligation. So those seven years are a minimum for the bookkeeping, while the entitlement data lasts much longer.

What may you destroy?

Despite the long retention obligation, a pension archive continuously produces material that no longer serves a purpose. Duplicate documents, old printouts, outdated correspondence with no retention value, settled value transfers and data on bought-out small pensions for which no entitlement remains. As soon as an entitlement has been fully settled and no right is attached any more, the purpose to keep that data lapses.

This is the part you clear out confidentially, not into the paper bin. Assess per file whether the entitlement really has been settled before anything goes, because destroying too early is the biggest risk here. What remains after that check travels sealed for destruction.

Keep or destroy at a pension fund

The overview below gives the main line. Always first assess whether an entitlement still exists before you destroy anything.

Type of dataStarting pointAction
Core data with a running entitlementKeep very longkeep
Administration and bookkeepingTax retention obligation7 years
Disability dataSpecial-category dataseparate, destroy finely
Settled value transferPurpose lapseddestroy confidentially
Bought-out small pension, no entitlementPurpose lapseddestroy confidentially
Duplicates and old correspondenceNo retention valuedestroy confidentially

Use this as a guideline, not a final legal ruling. When in doubt about an entitlement, consult your actuary, lawyer or compliance department. The general period logic is in the GDPR retention periods cheatsheet.

Disability and other special data

With a disability pension, health data enters the file. That is special-category personal data, with stricter rules. It should be secured separately and, as soon as it is no longer needed, disappear at a fine level. Keep this data recognisably separate within the file, so you can destroy it specifically without the rest of the member file suffering.

System migrations and data carriers

Pension administrators regularly renew their administration systems. In such a migration old servers, backup tapes and disks are left behind with complete member administrations on them. First carefully transfer what you must keep to the new environment and check that the transfer is complete. Only then do the old carriers come into view for destruction.

Deleting a file is not enough, because the data stays on the disk. After a successful migration, have the old data carriers destroyed at a fine level. That way no second copy of a complete pension archive is left unmanaged on written-off equipment.

How to handle it in 6 steps

  1. Distinguish core data with a running entitlement from redundant data.
  2. Assess per file whether an entitlement really has been settled.
  3. Treat health data separately and at a fine destruction level.
  4. In a migration, transfer what you must keep and check completeness.
  5. Collect the redundant part in sealed containers, not in the paper bin.
  6. Have it destroyed confidentially with a certificate and record it in your register.

Destroy confidentially with a certificate

The redundant part and the old data carriers you have destroyed confidentially at a fine level, because a pension file contains a national ID number and sometimes health data. The paper and the carriers travel sealed and stay that way until destruction, so the chain is closed.

Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR and the regulator that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.

Redundant pension archive to be destroyed?

Tell us what may go after your check and you get a fixed price. We collect it sealed, destroy it at a fine DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.

Request a quote

Common mistakes

  • Destroying core data too early. An entitlement runs until well beyond the retirement date and sometimes after.
  • Keeping redundant data anyway. Settled documents with no entitlement should go.
  • Not treating health data separately. Disability data is special-category data.
  • Not clearing out old systems. A complete archive on a written-off server is an open risk.
  • Keeping no proof. Without a certificate you cannot demonstrate the destruction.

Frequently asked questions

How long does a pension fund keep member data?

Often very long. A pension entitlement runs until well beyond the retirement date and sometimes continues in a survivor's pension. So you keep a member's core data until long after the end of employment, not a few years.

What may a pension fund destroy?

Mainly redundant data: duplicate documents, old correspondence with no retention value, settled value transfers and data on bought-out small pensions for which no entitlement remains. You clear those out confidentially.

Is disability data special-category data?

Yes. Health data with a disability pension is special-category personal data. It requires extra security and destruction at a fine level as soon as it is no longer needed.

How do I destroy pension data safely in a system migration?

Carefully transfer the data you must keep and then destroy the old carriers. Paper and data carriers travel sealed and are destroyed at a fine level, with a certificate as proof.

Conclusion

A pension fund faces the opposite problem from most organisations: the biggest risk is not keeping too long, but destroying too early. Keep the core data with a running entitlement for a very long time, until well beyond the retirement date. Clear out only the redundant part, after a careful check of whether the entitlement really has been settled, and treat health data separately. That redundant part you have destroyed confidentially at a fine level, with a certificate as proof. That way you protect both the members' rights and their privacy.

Read also: insurers: destroying claim and policy files, childcare: destroying child and parent records, municipalities: destroying citizen data and archive and the GDPR retention periods cheatsheet.


Have a redundant pension archive collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.