1. HSM
  2. Shredding
  3. Other
  4. Information about data protection
  5. Data carriers
  6. Data on paper

Destroying data securely - Data on paper

Despite increasing digitalization in companies, personal data is still often collected in paper form, whether through completed forms, contracts or printed e-mails. Even business cards represent personal data in paper form.

Since the General Data Protection Regulation (GDPR) came into force in 2018, the disposal or destruction of this personal data is precisely regulated. This applies to the disposal of old files after the retention periods have expired (Keeping data) or when the right to delete the data has been exercised.

Papierkorb

Destroying data on paper - Procedure

The GDPR stipulates that data on paper must be destroyed in such a way that its contents cannot be reconstructed.

This means that it is not sufficient to throw the data into the waste paper basket or to tear it up. This would mean that the data is still accessible and could be viewed by unauthorized persons. Especially if the data end up in the wastebasket only roughly or not torn up at all. This form of disposal is therefore not compliant with data protection regulations, as the data can be recovered.

To delete data on paper in compliance with the GDPR, it must be destroyed in a form which makes reconstruction impossible. The protection classes and security levels of the data play a particularly important role here, i.e. it must be determined how much protection is required in order to destroy the data at the correct security level. The higher the need for protection, the higher the protection class to be selected. A detailed description of protection classes and security levels can be found on our page Protection Classes and Security Levels.

What data on paper can be destroyed?

If documents in paper form contain sensitive data or personal data, they must be destroyed. This is stipulated by GDPR. Even private households should destroy documents with sensitive, personal data, because the misuse of data also occurs in private settings. The following documents or data on paper with the following content must be destroyed:

  • Documents with name/address
  • Bank statements
  • General bank data
  • Passwords
  • Invoices
  • Email addresses
  • Medical data
  • etc.

You can find an overview of the retention periods for private and business documents on our website.

geschreddertes Papier

Shredding data on paper - What must be considered?

When data on paper is destroyed, there are a few points to consider. Even after destruction, these data could be accessed and viewed by unauthorised persons (third parties). The main risk here is the improper destruction of paper data, for example by disposing of it in a waste paper basket.

Another risk, however, lies in the external destruction of data, i.e. an external company is commissioned with the destruction of personal data on paper. This is because the risk remains with the original company until the data has actually been destroyed. You can read a detailed comparison of internal vs. external destruction on the page Internal vs. External Data Destruction.

It is therefore recommended that data on paper is destroyed directly at the place of origin or where the data is processed (e.g. office, workplace). This is the only way to be completely certain that the data does not fall into unauthorized hands. We therefore recommend the purchase of a GDPR-compliant document shredder for the office.

In the home office in particular, the danger of data being accessed by unauthorized third parties is very high. For this reason, the home office should also be equipped with a GDPR-compliant document shredder as soon as personal data is processed in paper form.

You can read about what else you need to know about data protection in your home office on the page data protection in the home office.

Which document shredders?

The use of a suitable document shredder is necessary to destroy documents with sensitive, personal data in accordance with GDPR. There are document shredders with cross-cuts and strip-cuts. For GDPR-conforming data destruction in paper form, the HSM experts recommend a cross-cut document shredder. In our document shredder product advisor, you will find a detailed description of both these cut versions and what you should also consider when selecting a suitable document shredder.