Personnel file retention: how long to keep it under the GDPR
How long must you keep a personnel file? There is no single number for it. A file consists of separate components that each have their own period. Most documents you keep until about 2 years after employment ends, but the payroll records stay 7 years and a copy of an ID document 5 years. This article gives the right retention period per component, an overview table and the question of what to do when a period ends.
Most employers do not struggle with whether they may keep old files, but with exactly how long. One payslip has to last for years, a note from an appraisal interview may go much earlier. Anyone who keeps everything for the same length of time holds too much personal data for too long. That is no small matter, because over-retention is just as much a GDPR breach as destroying something with a legal retention obligation too early.
In this article it is all about the periods themselves. If you want to know how to clear out a file confidentially afterwards, you can read that in the pillar destroying a personnel file. Here we look at the duration, there at the execution.
The principle of storage limitation
The GDPR itself names almost no concrete years. The law works with a principle: storage limitation, set out in article 5. You keep personal data no longer than necessary for the purpose for which you collected it. Once that purpose is reached and there is no other legal basis left, you must destroy the data. A personnel file is a textbook example of this, because the purpose shifts per component. An employment contract serves a different purpose than a sickness record, so the period differs too.
Why a personnel file has no single period
A personnel file is not a document but a collection. It contains employment contracts, payslips, copies of diplomas, interview reports, sickness notifications, pension documents and sometimes a copy of an ID document. Each of those categories has its own purpose and therefore its own period. Some periods come from tax legislation, others from employment law and yet others follow only from GDPR storage limitation. That is why you can never give the whole file a single fixed expiry date in one go. You have to take it apart.
The standard period: about 2 years after employment ends
For the largest part of a personnel file a guide period of about 2 years after the end of employment applies. Think of appraisal reports, correspondence, agreements about training and general notes. The data protection authority treats these two years as a reasonable period during which you may still need file documents after departure, for example for a reference or an ongoing dispute. After that the purpose usually lapses and the material should be cleared out. Two years is therefore not a legally hard number but a well-defensible standard.
Payroll and salary records
The payroll records are the best-known exception. Payslips, annual statements and the related financial data fall under the tax retention obligation of 7 years. That follows from the general tax act and applies from the moment the data loses its current value for the tax authority, in practice after the end of the financial year or the employment. Part of the wage-tax data has a different period of 5 years. So you must never throw this component out together with the rest after two years. More on this tax side is in the 7-year tax retention obligation.
Copy of an ID document
Special rules apply to the copy of an ID document. You are required to keep this copy until 5 years after the end of employment, on the basis of the tax and social legislation around wage tax. At the same time this is a sensitive document with a national identification number and a photo. So keep only the required copy, and no more copies than needed, and destroy the copy at the highest level once the five-year period has passed. Destroying too early can land you in trouble at a tax inspection, destroying too late is a GDPR breach.
Sickness and occupational health file
Sickness data is health data and therefore falls under the special categories of the GDPR. The main rule is that you keep sickness data no longer than needed, with a guide period of 2 years after the end of employment. The substantive occupational health file is moreover usually managed by the occupational health service or company doctor, not by you. An exception is exposure to hazardous substances, where occupational law has far longer periods, running up to decades. For ordinary sickness you keep it short and destroy the documents at the highest level.
Pension data
Pension data forms a separate stream. Part of it runs via the pension provider and not via your own file. The data you keep yourself, such as the enrolment documents and the employee's choices, has longer periods because a pension only pays out decades later. So keep pension documents apart from the rest of the file and apply a separate, wider period to them. Do not automatically throw them away at the moment you clear out the general file documents after two years.
Applicant data of rejected candidates
Does a rejected applicant not belong to the personnel file? Strictly speaking no, but the material comes from the same process and is often kept in the same place. For rejected candidates a short period applies: you delete their data at the latest 4 weeks after the end of the procedure, or a maximum of 1 year if the candidate has given consent for that. This component is often forgotten, while it contains precisely a lot of personal data from people who never joined you. We cover this separately in its own article, see the reading tips at the bottom.
The retention periods at a glance
The table below lists the most important components. Use it as a starting point and always check whether different arrangements apply for your sector or collective agreement.
| Component | Retention period | Basis |
|---|---|---|
| Payroll records, annual statements | 7 years | Tax retention obligation |
| Wage-tax data | 5 years after employment ends | Wage tax act |
| Copy of ID document | 5 years after employment ends | Wage tax / tax legislation |
| Employment contract, changes | 2 years after employment ends | GDPR storage limitation |
| Appraisal reports, correspondence | 2 years after employment ends | GDPR storage limitation |
| Sickness and occupational data (ordinary) | 2 years after employment ends | GDPR / occupational law |
| Applicant data (rejected) | 4 weeks, or 1 year with consent | GDPR storage limitation |
| Pension data | Longer, via provider | Pension legislation |
A broader overview across all kinds of personal data is in the GDPR retention periods cheatsheet. That helps to put client files and administration outside HR on the right period too.
The difference between may keep and must keep
An important distinction that many employers confuse: a retention obligation is something different from a retention possibility. For the payroll records and the copy of the ID document a real obligation applies, you must keep them, even if the employee asks for deletion. For most other components only this applies: you may keep them as long as the purpose runs. Once that purpose is gone, it tips from may keep to must destroy. Keeping just in case is not a valid basis under the GDPR and instead creates risk.
Who is responsible for the retention periods?
The employer, as controller, is liable for complying with the periods. In practice the execution often lies with the HR department or with a payroll administrator, but the ultimate responsibility stays with the organisation. So agree clearly who checks each year which files are past their period and who carries out the clear-out. Record that, because at an inspection by the data protection authority you must be able to show that the management of retention periods is not coincidence but a fixed working method. How you show that is in demonstrable destruction for the GDPR.
What do you do when a period ends?
When a period ends, keeping is no longer allowed and you must clear out. That clearing out is not a matter of the paper bin. A personnel file contains personal data and often also special data, so throwing it out unshredded is a data breach. You destroy the documents confidentially at the right DIN level and keep a certificate of destruction as proof. How that whole process works, from inventory to the right level, is in the pillar destroying a personnel file. There it is about the mechanics, here about the timing.
A fixed rhythm instead of separate actions
Managing retention periods works best as a yearly round. Set a fixed moment in the calendar, for example after the annual closing, and then go through per former employee which components are past their period. What may go goes into a sealed collection, what must stay stays with a new end date noted. So each year a natural clear-out moment arises and you build a line of evidence at the same time. A fixed rhythm prevents files from lying around for years because nobody felt responsible for clearing them out.
Recording retention periods in policy
Record the periods in a short document, for example as part of your record of processing. There it states per category how long you keep, on what basis and who carries out the clear-out. It does not have to be a hefty piece, but it makes the difference between separate decisions and a demonstrable policy. At an audit you show with it at a glance that you know and apply the retention periods. Without recording it remains good intentions, and those do not count at an inspection.
Common mistakes with retention periods
- Keeping everything for the same length. Holding the whole file for seven years seems safe, but it is over-retention of the documents that should go after two years.
- Throwing everything out at once. Clearing the entire file after two years also destroys the payroll records that had to stay another five years.
- Keeping just in case. That is not a GDPR basis and instead creates risk at an inspection.
- Forgetting the ID copy. It has its own period of five years and a high protection level.
A real-world example
Imagine an employee leaves at the end of 2025. The general file documents, such as interview reports and correspondence, may go at the end of 2027. The sickness data follows the same line. The payroll records and annual statements, however, stay until the end of 2032 because of the tax retention obligation, and the copy of the ID document until the end of 2030. A well-managed file therefore falls apart in parts, with different end dates. Whoever notes this neatly never has to guess and clears out each year exactly what is due.
See also: the pillar destroying a personnel file for the execution, and the three related articles on applicant data retention and destruction, payroll records retention and destruction and the offboarding checklist.
Have files with an expired period destroyed?
Tell us what may go and you get a fixed price in advance. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out fee within 20 km of Amsterdam.
Request a quoteFrequently asked questions
How long must I keep a personnel file?
A personnel file has no single period. Most components you keep until about 2 years after employment ends, but payroll and tax records stay 7 years and a copy of an ID document 5 years.
What is the retention obligation for a personnel file?
A real obligation applies only to components with a legal basis, such as the payroll records (7 years for tax) and the wage-tax data (5 years). The rest falls under GDPR storage limitation and may not be kept longer than needed.
What does the GDPR say about retention periods?
The GDPR sets no fixed periods but the principle of storage limitation in article 5. You keep personal data no longer than needed for the purpose for which you collected it.
May I keep a personnel file longer just in case?
No, unless there is a demonstrable reason, such as an ongoing dispute. Keeping just in case is not a valid GDPR basis and creates risk at an inspection.
What do I do when the retention period ends?
Then you destroy the documents confidentially at the right DIN level and keep a certificate as proof. Throwing them out unshredded is a data breach.
Conclusion
How long you keep a personnel file depends on the component. Most documents may go after about 2 years, the payroll records stay 7 years and the copy of the ID document 5 years. So take the file apart, give each component its own end date and clear out each year what is due. As soon as a period ends you destroy the documents confidentially and keep the proof. That way you meet storage limitation without throwing anything out too early or too late.
Clear out files with an expired retention period? Request a quote via desnipperaar.nl or read how destroying a personnel file works. You receive a certificate as proof.