HomeKnowledge base › Wholesalers and customer data
Retail

Wholesalers: destroying customer data

A wholesaler's customer records and order history ready for confidential destruction

A wholesaler works with the data of business buyers: customer accounts and contacts, credit and payment data, order and delivery history and a full purchase and sales administration. Part falls under the seven-year tax retention obligation, part you keep no longer than necessary for the trading relationship. This guide shows, by part, what you keep, when it may go and how to destroy it confidentially.

The quick answer: the purchase and sales administration you keep for seven years under the tax retention obligation. Customer accounts, contacts and old customer databases you keep no longer than necessary for the trading relationship. What may go disappears confidentially and with a certificate as proof.

Two frameworks: tax retention and GDPR

At a wholesaler two frameworks run together. The tax retention obligation requires you to keep your administration for seven years, including invoices, payment data and the purchase and sales administration of your buyers. Alongside this the GDPR applies, which requires not keeping personal data longer than necessary. The tax duty sets the floor for what you must keep, the GDPR the ceiling for what you may not keep too long.

Many business owners think the GDPR is only about consumers. That is not the case. A wholesaler supplies businesses, but behind every customer account are people: a buyer, a contact, an authorised signatory. Their name, business email address and phone number are personal data. So treat the customer data per type, then you keep exactly what you must and clear out the rest on time.

Retention periods by part

The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from the moment the trading relationship has been settled.

PartStarting pointPeriod
Purchase and sales administrationTax retention obligation7 years
Invoices and buyer payment dataTax administration7 years
Customer accounts and contactsAs long as the relationship runspurpose-bound
Order and delivery historyUntil settlement and taxpurpose-bound + 7 years
Credit assessment and limitsAs limited as possibleas briefly as possible
Old customer databases and carriersNo retention obligationclear out and destroy

Use this as a guideline, not a substitute for your own tax advice. The tax side is in the 7-year tax retention obligation and the broader periods are in the GDPR retention periods cheatsheet.

Business customer data is also personal data

The biggest blind spot at wholesalers is the assumption that B2B falls outside the GDPR. A customer account contains the name of a contact, a direct phone number, a business email address and sometimes a private mobile number. That is data about a natural person and therefore personal data. As long as the trading relationship runs you have a ground to keep it. If a buyer stopped ordering years ago, that ground lapses and the account should be cleared out.

The same applies to extensive CRM notes about a contact, from call reports to preferences. Keep only what you need for the cooperation. A principle that also applies to a webshop that processes customer data, where the same purpose limitation is the norm.

Credit, payment and order data

Wholesalers often supply on account and work with credit limits. A buyer's credit assessment, payment history and any collection files are sensitive data that say something about a customer's financial position. Keep that information recognisably separate and do not keep it longer than necessary for the assessment and its settlement. Invoices and payment data themselves fall under the seven-year tax administration and go afterwards.

The order and delivery history is useful for the business, but here too there is a limit. Once a supply relationship has been settled and the tax period has passed, the purpose for holding the detailed data lapses. What you then still want to keep for analysis you are better off keeping anonymised, so it can no longer be traced back to a person.

Old customer databases and carriers

At a wholesaler old customer databases pile up over the years. Exported CRM lists, per-customer price agreements, paper order slips and an old office server or backup carrier holding all the history. Paper does not belong in the open paper bin, because a customer list on the street is a reportable data breach. And an old hard drive you throw away holds recoverable data, even after a reset.

So treat old carriers just as carefully as confidential paper. A decommissioned server, laptop or external drive with customer files is physically destroyed, not merely wiped. How you separate confidential paper in the office and have it removed safely is set out in confidential paper destruction for businesses.

How to handle it in 6 steps

  1. Split the data into tax administration, customer accounts, credit data and old databases.
  2. Treat contacts as personal data, even in a B2B relationship.
  3. Keep the administration for seven years under the tax retention obligation.
  4. Clear out inactive customer accounts once the trading relationship has ended.
  5. Collect what may go in sealed containers, not in the paper bin.
  6. Have it destroyed confidentially with a certificate and record it in your register.

Destroy confidentially with a certificate

Customer data is destroyed confidentially, because it contains contact, credit and payment data of your buyers. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old company server, laptop or backup carrier with customer files belongs with it too.

Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.

Customer data to be destroyed?

Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.

Request a quote

Common mistakes

  • Thinking B2B falls outside the GDPR. Contacts are simply personal data.
  • Keeping inactive customer accounts forever. Without a trading relationship the ground lapses.
  • Treating credit data as ordinary administration. It calls for extra restraint.
  • Wiping old carriers instead of destroying them. A reset leaves data recoverable.
  • Keeping no proof. Without a certificate you cannot demonstrate the destruction.

Frequently asked questions

How long must a wholesaler keep customer records?

The purchase and sales administration, invoices and payment data fall under the seven-year tax retention obligation. Customer accounts and contacts you keep no longer than necessary for the trading relationship and its settlement.

May I keep old customer databases for marketing?

No, not just like that. You keep a customer database for a purpose. If that purpose disappears because a buyer has not ordered for years, the ground lapses and you clear out the database. Keeping it just in case is not a valid reason.

Are business contacts also personal data?

Yes. The name, business email address and phone number of a contact belong to a natural person and fall under the GDPR. Even in a B2B relationship you protect that data and clear it out on time.

How do I destroy customer data and old carriers in line with the GDPR?

Confidentially and with a certificate of destruction. Paper travels sealed and an old server, backup or hard drive with customer data is physically destroyed. You record the destruction in the record of processing.

Conclusion

A wholesaler works with contact, credit and payment data of every buyer, between the tax retention obligation and the GDPR. Keep the purchase and sales administration for seven years, treat contacts as personal data and clear out inactive customer accounts once the trading relationship ends. Credit and order data you keep no longer than necessary. What may go you have destroyed confidentially with a certificate as proof. That way you meet both frameworks and protect your buyers' data.

Read also: telecom shops: destroying customer contracts, electronics stores: destroying customer data, supermarkets: destroying customer data and how long you should keep documents.


Have customer data collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.