WGBO 20 years for patient files: the practice for GPs and dentists
Since 1 January 2020 a retention period of 20 years has applied to medical files. That is in article 7:454 of the Dutch Civil Code (BW), part of the WGBO (Medical Treatment Agreement Act). The period was extended from 15 to 20 years to better match the average duration of healthcare and liability questions. For GPs, dentists, physiotherapists and specialists it means in concrete terms: every file you open stays with you for twenty years after the last entry. This article addresses what that means in practice and how to destroy compliantly when the period expires.
Audience: GPs, dentists, physiotherapists, specialists, practice managers and data protection officers in healthcare.
The essence of article 7:454 BW
The law literally provides that the healthcare provider keeps the file "for twenty years, counting from the moment the last change to the file took place, or for as much longer as reasonably follows from the care of a good healthcare provider".
Two things stand out. First: the clock starts at the last change, not at the start of treatment. A file for a patient who has been coming since 2015 and had a consultation in 2024 is retained until 2044. Second: "as much longer as reasonably" opens the door to longer retention for specific cases, for example for hereditary conditions where family members may still need information.
Exceptions and variants
- Minor patients: the 20 years only start at the 18th birthday. For a child treated as a baby who last attended at the age of 2, the period runs until their 38th.
- Specific categories: for X-ray images, for example, the period applies in full because they are part of the file.
- Deceased patients: 20 years after death, with certain categories (hereditary diseases, familial conditions) sometimes kept longer.
- Psychiatric files: often follow the same regime, with NIP or NVvP guidelines as supplements.
- Occupational health files: 15 years (art. 7:464 BW refers to other legislation).
Destroying earlier than 20 years carries disciplinary and civil-law risks. Retaining longer is only permitted under the GDPR if there is a specific ground.
EHR and paper: hybrid archives
Most practices work with an Electronic Health Record (EHR) such as Promedico, Medicom, Mira, Exquise or OmniHis. But there is almost always still a partial paper archive:
- Old cards from the pre-EHR era
- Incoming letters and referrals that have not been fully digitised
- X-rays on film (particularly in older dental practices)
- ECG strips and lab results on paper
- Intake forms
For the paper part the same regime applies as for the digital one: keep for 20 years, then destroy. A hybrid approach only works if it is clear which medium holds the "source document". Source documents on paper with a digital copy: paper may go as soon as digital archiving is tamper-proof and readable (in line with GDPR art. 32).
What do you destroy when the 20 years are up?
From 2040 the first wave of files under the new regime starts to expire. For 2025 it is still files from 2005 that fell under the old 15-year regime, but received the new 20-year treatment in 2020 if something was changed.
In concrete terms you destroy:
- Paper file cards
- Referral letters and specialist reports
- X-rays on film (F-series DIN 66399)
- Old microfiches
- CDs and DVDs with imaging material (O-series DIN 66399)
- USB sticks and SD cards with backups (E-series)
- Hard drives from old workstations (H-series, see HDD wipe vs destroy)
For paper DIN 66399 P-5 is the standard in healthcare, because patient files fall under the special category of GDPR art. 9.
Certification and the role of the DPO
Every destruction round requires a certificate that goes into the practice GDPR file. The Data Protection Officer (mandatory in larger healthcare organisations, recommended in smaller ones) uses this for audits and any questions from the Dutch Data Protection Authority or the Healthcare and Youth Inspectorate.
At minimum on the certificate:
- Number of units per type (file cards, photos, tapes, drives)
- Method (mobile shredder, disintegrator)
- DIN 66399 level (P-5, E-5, F-5 for imaging material)
- Date and location of destruction
- Names of executor and witness (practice manager, doctor, DPO)
- Unique job number
Practice move, merger or archive closure?
We destroy patient files at your location to DIN 66399 P-5, including X-rays, CDs and old EHR drives. Certificate per job, rush within 24 hours possible.
Request a quoteClosing or handing over a practice
When a doctor retires or hands over the practice, the retention duty remains. There are two options:
- Handover to successor: the new doctor takes over the file under confidentiality. The patient has the right of access and can object. Document the handover in a processor agreement.
- External archive service: specialist archive managers keep files until the end of the period. Destruction then takes place under that service's management. Check whether they offer DIN 66399 P-5 and certification.
What is not allowed: storing files at the doctor's home. The location must have access control, a fire-resistant safe and logging.
The interplay with the GDPR
The WGBO-specific retention period takes precedence over GDPR storage limitation. As long as the 20 years are running, retention is not only permitted but mandatory. As soon as the period expires, GDPR art. 5 comes back into view and destruction is the default.
Patients can within the period still request earlier destruction (art. 7:455 BW). The doctor may refuse if "a substantial interest of someone other than the patient" stands in the way (for example an ongoing liability claim). In most cases the request is granted and destruction follows according to P-5.
The practical calendar
A good practice schedules a destruction moment per year, preferably in January or February. Then it is quiet and you can remove the files from the year 20 years ago minus 1 (so in 2026 the files that had their last entry in 2005) from the archive, draw up a check list and have them destroyed in a mobile shredder round.
Planning an annual destruction of the care archive? Call us or request a quote via desnipperaar.nl. We will help think through classification, DIN level and planning at no charge.