Software companies: destroying customer data
A software company rarely manages only its own data. Your applications, databases and backups hold the customer data of the organisations that use your software, often with real personal data about their customers or staff. On top of that come development and test environments, old data carriers and a drawer full of paper contracts and quotes. This guide shows which role you hold, what the processor agreement asks of you and how to destroy customer data confidentially at the end.
The quick answer: for the data you process on behalf of clients you are the processor, the client remains the controller. At the end of a contract you return the data or destroy it, at the client's choice. Test and backup data with real details count too. What may go disappears confidentially and with a certificate.
Two roles: processor and controller
At a software company two hats run together. For the data you store and process on behalf of a client you are the processor. The client decides what that data is used for and is the controller. For your own administration, your staff and your lead data you are the controller yourself. Those two roles carry different rules for retention and destruction.
The distinction is not theoretical. As a processor you do not decide yourself when customer data may go; the client does. You record in the processor agreement how you handle that data and what happens at the end of the contract. For your own data you do set the retention periods yourself, within the limits of the GDPR.
Retention periods by part
The period differs per type of data and per role. The overview below gives the main line. Count the tax period from the end of the financial year and the customer data from the end of the contract.
| Part | Starting point | Period |
|---|---|---|
| Customer data as processor | Processor agreement | until end of contract |
| Own invoicing and contracts | Tax retention obligation | 7 years |
| Development and test data | As briefly as possible | until no longer needed |
| Backups with customer data | Per backup cycle | purpose-bound |
| Old data carriers and servers | After decommissioning | destroy at once |
| Logs and support tickets | Storage limitation | as briefly as possible |
Use this as a guideline, not a substitute for the arrangements with your client. The client may require a shorter period than your own policy. A full overview by category is in the GDPR retention periods cheatsheet.
The processor agreement: return or destroy
The processor agreement is the document that sets what you may and must do with customer data. A fixed element is the arrangement about the end of the contract. You then return the data to the client or you destroy it, at the client's choice. Both choices call for a watertight execution, not a button you forget.
Record per client which choice was made and on which date. Carry that choice out everywhere the data sits, so not only in the production database but also in exports, reports and backups. Confirm the destruction with proof, so the client knows the data is really gone. Without that confirmation a risk stays with you that should long since have been closed off at the client.
Development and test data with real details
One of the biggest blind spots sits in the test and development environments. To reproduce a bug or test a migration, a copy of the production database is all too often used, with real personal data in it. That copy falls under the same GDPR requirements as production, but is rarely secured or cleared out as well.
So work as much as possible with pseudonymised or synthetic data in test and development. If you do need real details, clear out the copy as soon as the task is done. Think too of local copies on a developer's laptop and of exports that stay behind in a shared folder. How you make sure a copy in the cloud really disappears is set out in really deleting cloud data.
Backups, old data carriers and paper contracts
Customer data lives longer than the production environment. Backups run in cycles and hold data after you have removed it in production. Take that cycle into your arrangements, so a withdrawn account also disappears from the backups within a reasonable period. Who owns which backup media and who destroys it is set out in backup media and ownership.
Old servers, single drives and SSDs going out of service often still hold customer data. Wiping alone is not always enough for those data carriers. When wiping suffices and when physical destruction is needed is set out in wiping versus destroying a hard drive. And do not forget the paper. Signed contracts, quotes with customer details and old implementation plans often still sit in a cabinet. Those do not belong in the paper bin.
How to handle it in 6 steps
- Determine your role per data flow as processor or as controller.
- Record in the processor agreement what happens at the end of the contract.
- Replace real data in test and development with pseudonymised or synthetic details.
- Take backups and exports into every deletion round.
- Collect old data carriers and paper in sealed containers, not in the waste.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
Customer data is destroyed confidentially, because you work with other people's personal data. Digital data you erase demonstrably and old data carriers you have physically destroyed by serial number. Paper contracts and quotes travel sealed and stay that way until destruction, so the chain is closed.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the client and the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Customer data to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Keeping customer data on your own initiative. As a processor the client decides, not you.
- Leaving test copies behind. Real details in test count as heavily as production.
- Forgetting backups in a deletion round. Data lives on in the backup cycle.
- Throwing away old drives unwiped. A decommissioned SSD holds recoverable data.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
Are you a processor or a controller for customer data?
For the data you process on behalf of a client you are usually the processor. The client sets the purpose and means and is the controller. For your own administration and staff you are the controller yourself. That distinction decides who rules on retention and destruction.
What must happen to the customer data at the end of the contract?
The processor agreement requires you to return or destroy the customer data afterwards, at the client's choice. Record which choice was made, carry it out across all environments and backups and confirm the destruction with proof.
May I use real customer data in a test or development environment?
Be restrained here. Real personal data in test and development environments falls under the same GDPR requirements as production. Work as much as possible with pseudonymised or synthetic data and clear out test copies with real data as soon as they are no longer needed.
How do I destroy customer data and data carriers in line with the GDPR?
Digital data you erase demonstrably and old data carriers you have physically destroyed. Paper contracts and quotes travel sealed and are destroyed confidentially with a certificate, which you record in the record of processing.
Conclusion
A software company manages other people's customer data, often with real personal details, across production, test, backups and on paper. Determine per flow whether you are a processor or a controller, record in the processor agreement what happens at the end of the contract and carry that out everywhere the data sits. Replace real details in test with synthetic data and clear out old data carriers and paper on time. What may go you have destroyed confidentially with a certificate as proof. That way you protect the data your clients have entrusted to you.
Read also: web hosting and cloud providers: destroying customer data, PR agencies: destroying media contact data, publishers: destroying subscriber and author data and the GDPR retention periods cheatsheet.
Have customer data collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.