Destroying a personnel file: when is it required, how do you do it and what does the GDPR demand?
Every company that employs staff, or has done so, sits on a pile of paper privacy data. Employment contracts, payslips, performance reviews, copies of ID documents, sickness notifications, each one a document containing personal data to which the GDPR attaches strict rules. Not only about how long you may keep them, but also about how you must destroy them once the period is over. And that last part is rarely explained.
Because that is where it goes wrong. Organisations have a reasonable grasp of when certain files may go in the bin. But what then? A cardboard box of old personnel folders that simply ends up with the waste paper is a data breach. And that is a notifiable violation towards the Dutch Data Protection Authority (AP).
This guide gives you a complete answer: when must you destroy, how, what security level is required and when you are better off outsourcing than shredding yourself.
When may and must you destroy a personnel file?
The retention obligation for personnel data is not uniform, because a file consists of dozens of categories of documents, each with its own period. The most relevant:
| Document | Retention period | Legal basis |
|---|---|---|
| Employment contract, payroll data | 7 years after end of employment | Art. 52 AWR (tax retention) |
| Copy of ID document | 5 years after end of employment | Wage Tax Act / Wwft |
| Occupational health file / absence data | 2 years after leaving (via occupational health service) | Gatekeeper Improvement Act |
| Performance reviews, correspondence | 2 years after leaving | GDPR storage limitation |
| CV / application data (rejected) | 4 weeks after rejection (max. 6 months with consent) | GDPR art. 5 |
| ID copy for Wwft (financial) | 5 years | Wwft art. 33 |
| Occupational health file with medical exposure | 20 years after end of role | Working Conditions Act |
The main rule: once the maximum retention period has passed, you may not only destroy, you must. See also our article tax retention: 7 years and then? for the specific tax angle. The GDPR term for this is the obligation to destroy, which follows from the principle of storage limitation (art. 5(1)(e) GDPR). Keeping data after the period ends, even if you ‘no longer use it anyway’, is a violation.
In practice this means: schedule a destruction moment in your calendar each year, preferably right after your annual closing or at the end of a quarter. Tie it to your employee exit dates.
How thoroughly must you destroy a personnel file?
This is the part most employers get wrong. Tearing a document and dropping it in the bin is not destruction. Throwing it in the paper container next to the copier is not either. Even a basic office shredder is in many cases insufficient.
The GDPR requires in article 32 ‘appropriate technical and organisational measures’ to protect personal data. That obligation does not end at storage, it lasts until the moment the document is physically illegible. In practice you can rely here on the European industry standard DIN 66399, which defines security levels for paper destruction:
- P-3: Strip-cut, shreds approx. 2 × 200 mm. Insufficient for personal data.
- P-4: Cross-cut, approx. 4 × 40 mm. Acceptable for ordinary office documents.
- P-5: Micro-cut, approx. 2 × 15 mm. Required for special categories of personal data.
- P-6 / P-7: For government and confidentiality-sensitive documents.
For personnel files, which almost always contain special categories of personal data (medical data from the occupational health file, citizen service numbers on payslips, copies of ID documents), at least DIN 66399 P-5 applies in practice. A cheap office shredder usually does not reach that level.
Destroying it yourself, when it works and when it does not
For small volumes, a handful of folders a year, you can consider destroying it yourself. But then three conditions apply:
1. The machine reaches at least P-4, preferably P-5
Check the type plate or the packaging. Cheap strip-cut devices for home use are typically P-2 or P-3.
2. You record who destroyed what, and when
The GDPR asks not only that you destroy, but also that you can demonstrate you destroyed. Without a log or internal document that proof does not exist. In an AP investigation you are then rudderless.
3. You do not involve special categories of personal data
As soon as the file contains medical information, even a simple sickness date falls under this if it is traceable to a person, the risks rise sharply. An occupational health file with absence history belongs in a destruction process with P-5 and a demonstrable chain of evidence.
What to expect from outsourcing
As soon as you choose professional destruction, there are four things you should always ask:
1. Sealed transport
Your material must travel from your office to the destruction site in a closed container or box. An unsecured truck, with boxes mixed across several clients, is not acceptable for special categories of personal data.
2. Destruction at DIN P-5
Ask explicitly about the certification level. Many providers default to P-4 (cheaper). For personnel files with medical data, citizen service numbers and ID copies you need P-5.
3. Certificate of Destruction
After every order you should receive a Certificate of Destruction stating: date, quantity (kilos or units), applied DIN standard and the order number. Keep that certificate at least 5 years in your GDPR file. It is your proof if the AP ever asks questions.
4. Data processing agreement
You engage a processor. That means you must conclude a data processing agreement before the first box is handed over. Without a signed DPA you are in violation yourself.
Digital personnel files
Many employers have by now digitised their personnel files. Good. But digital files too must be demonstrably destroyed when the period expires.
Simply deleting a file and emptying the recycle bin is not enough. The data is then still present on the hard drive. Only when you overwrite the drive (for HDDs), or for SSDs, which have a different storage mechanism, physically destroy the drive, is the destruction irreversible.
Read more about the limits of digital wiping in our article destroying SSDs: why overwriting does not work and the difference between wiping and destroying in wiping versus destroying a hard drive.
Destroying a personnel file in 6 steps
- Inventory your files. Make a list of all (former) employees and their start date. Calculate per document which period applies.
- Select what may be destroyed. Use the table at the top of this article as a reference. In doubt? Ask your payroll administrator or HR adviser.
- Choose your method. Small volume without special categories: P-5 office shredder. Larger volume or sensitive content: outsource.
- Sign a data processing agreement with your destruction party before the first order.
- Carry out the destruction and receive a certificate.
- Record it. Note in your privacy register (the records of processing, required by GDPR art. 30) when, what and how the destruction took place.
Want personnel files destroyed?
We destroy at DIN 66399 P-5, with a data processing agreement and a certificate per order. Audit-proof for your GDPR file.
Request a quoteFrequently asked questions
Can I just throw a personnel file in the paper container?
No. Personnel files contain personal data and must be destroyed confidentially. Throwing them unshredded in the paper container is a data breach you are obliged to report to the Dutch Data Protection Authority.
Which DIN level is required for personnel files?
In practice at least P-4, but for files containing citizen service numbers, copies of ID documents or medical data, P-5 is recommended and required under a strict GDPR reading.
How do I prove I destroyed the personnel file?
With a Certificate of Destruction from a certified destruction party, or with an internal log (date, name of person destroying, quantity, DIN level) if you destroy it yourself.
Do I have to inform the employee when I destroy their file?
It is not legally required, but it is good practice and strengthens the relationship of trust. Some collective labour agreements prescribe it.
What if a former employee asks to destroy their file before the retention period is over?
You can only comply for data without a statutory retention obligation. You must keep tax and social security data, even if the employee asks otherwise.
May I keep an old personnel file longer just to be safe?
No, unless there is a demonstrable reason (ongoing lawsuit, AP investigation). ‘Just to be safe’ is not a GDPR basis.
Are there consequences if I forget to destroy?
Yes. Unnecessary retention of personal data is a GDPR violation for which the AP can impose a fine. You also risk a data breach if the data unintentionally ends up in the wrong hands.
Conclusion
Destroying personnel files is not an administrative side issue, it is a legal obligation with direct privacy and liability risks. The retention period is the starting point, the obligation to destroy is the finish line. Use the table and the step-by-step plan in this article as the basis for your own annual destruction round.
Do you have larger volumes, or do your files contain medical data or ID copies? Then outsourcing to a certified party is the most solid choice, including a data processing agreement and certificate.
Want to know what it costs to have your personnel files destroyed? Call us or request a quote via desnipperaar.nl. Within 5 minutes you have a fixed price. No surprises, no contract.