Data protection-compliant document destruction: This is how it works in an environmentally friendly and fast way

Paperwork is not exactly a favorite pastime for many people - whether in the private household or in your own company, large amounts of paper waste accumulate within a few days. So that the chaos doesn't get any bigger than it already is, you have to regularly sort out superfluous documents. In the commercial sector there are more precise specifications, but you should also make private documents unrecognizable as much as possible.

In this article we will show you the legal basis and how data protection-compliant document destruction can work in an environmentally friendly and fast way!

Legal basis for data protection-compliant document destruction

First of all, we want to take a look at the basics of document shredding in Germany and Europe and why it is so important. The European General Data Protection Regulation not only regulates the collection, storage and use of personal data , but also its destruction. Companies are obliged to comply with certain principles and rules when destroying files in accordance with data protection regulations, regardless of whether the data is on paper or digital files.

The DIN standard 66399 applies to the security levels for data protection-compliant document destruction. It regulates exactly how small data carriers – for example paper – must be shredded so that they can be disposed of safely. The various security levels regulate the size of the individual pieces of paper after destruction. The level of security is usually indicated on a shredder, ranging from level one for general data to level seven for highly sensitive data.

Important: Personal data must be destroyed at least at level three. This includes, for example, address data or telephone numbers. However, many cheap document shredders only fulfill level one or two and are unsuitable for this, so be careful!

As an entrepreneur, you can also take care of data protection-compliant document destruction yourself. However, TÜV experts recommend that you hire an external company to destroy particularly large amounts of data, because otherwise mistakes can easily creep in here.

With digital data, you should leave the data protection-compliant document destruction to the experts - because simple deletion is not enough here, the data must not be recoverable. So play it safe here and hire a specialist company to delete the data from hard drives and the like.

That was the legal basis for data protection-compliant document destruction according to the applicable DIN standard. In the following paragraphs we will look at what needs to be considered when destroying and how it can be done in the most environmentally friendly way possible.

Would you like to learn more about exciting topics related to employment law ? Then feel free to have a look at our desqup blogs - here you can find out, for example, how it is legally with a dog in the office and what you have to consider!

This is how data protection-compliant document destruction works

When it comes to data protection-compliant document destruction , there is no way that is equally applicable to all data. Depending on how sensitive and worthy of protection the data is, it must be destroyed at a higher security level. The higher the security level, the more difficult it is to recover the data after destruction . According to DIN 66399, there are a total of seven security levels that regulate the destruction of data.

These are the seven security levels, which are always attached to a paper shredder:

• Stage 1: Reproduction is possible without tools with a certain expenditure of time
• Stage 2: Reproduction requires certain tools, such as magnifying glasses
• Level 3: Sensitive and confidential data make the reproduction very expensive
• Stage 4: Large expenditure of time and personnel required for the reproduction
• Level 5: Reproduction only possible with forensic equipment
• Stage 6: Destruction of all data so that it cannot be recovered even with technical methods
• Level 7: Makes reproduction absolutely impossible and is used for top-secret data

In addition to these security levels for destruction, the protection classes must also be observed. These are based on the data protection regulations and roughly limit which data is to be assigned to which security level. There are the following protection classes:

• Protection class 1 applies to normal sensitive data. If it were to be published here, it would hardly have any negative effects or damage, so this applies above all to normal data such as advertising or address labels
• Protection class 2 applies to all data with increased protection requirements. This means that data that is only accessible to certain people must be destroyed. For example, applicant or personal data or payslips
• Protection class 3 should definitely avoid the publication of the data. Damage can occur here if these are made public or lost. In the worst case, people's livelihoods are threatened here

Data protection-compliant document destruction is only possible when the retention periods for the respective files have expired. These are between six and ten years, depending on the type of data. This period always begins in the calendar year that is noted on the corresponding data medium . If a letter was created in July 2008, it may only be destroyed in August 2018.

Small document shredders usually do not meet the standards required for offices or medical practices. Here you should use data protection-compliant document shredders that also meet the applicable DIN standard .

This is how a paper shredder works

For data protection-compliant document destruction, you will inevitably need a document shredder – no matter what size. Depending on the protection class and security level of your documents, you must make sure that the document shredder is actually approved for these documents so that there are no legal difficulties.

A paper shredder cuts the papers into tiny pieces. Either in the strip cut , in the cross cut or in what is probably the safest micro cut, in which the pages are cut into tiny particles. The strip cut is not particularly secure and only rarely meets data protection regulations; it is primarily used in the private sector. The cross cut, on the other hand, is a little safer and is also used for many commercial document shredding. With top-of-the-line document shredders, the shredded data is pressed through a wire screen, which is used for government documents, for example.

Document destruction is a sensitive topic that should be taken very seriously, especially in large companies. The data protection officer of each company is responsible for ensuring that these provisions are met and also permanently observed. If you are unsure about data protection-compliant document destruction, it is advisable to hire an external company to do this.

Many things are important in a successful office – including a healthy and ergonomic workplace . At desqup , we have made it our goal to equip every company with high-quality office furniture, for example with our height-adjustable desks . Feel free to visit our website and learn more about all our products !