That the subject of data protection also includes the correct destruction of these data is regulated by law. Documents that are in non-digital form must also be destroyed in accordance with these legal requirements, such as files and documents on data carriers .
Despite these legal requirements, the use of document shredders with the wrong security level or neglecting to use a document shredder at all are still amongst the most common data protection gaps. Documents with personal data do not belong in a waste paper basket, but in a GDPR-compliant document shredder, according to ”eu.hsm.eu” .
Which data have to be destroyed according to the GDPR?
Although the data protection regulations generally state that papers and documents in hard copy also have to be destroyed, this is not necessarily true for all documents. It depends on the data they contain. You really do not have to put every document through a document shredder, only those documents which contain data requiring protection. The GDPR states documents with personal data. According to the GDPR it is personal data which, above all, must be destroyed.
What are personal data?
According to the GDPR, it is particularly important to protect data which refer to a person. These are, above all, data which can be assigned to a natural person or which refer to a natural person. You will find a specific list of which details are considered to be personal data on our website. These are exactly the data which have to be destroyed in compliance with the GDPR.
What has to be observed regarding GDPR compliant document destruction?
There are several points to observe to ensure a GDPR compliant destruction of personal data. Most important is, of course, the use of a document shredder which meets the data protection requirements. If you use a document shredder which does not fulfil the data protection requirements, you have a data protection breach. This means that the data will not be destroyed in compliance with the GDPR. It is therefore vital to use a shredder which is GDPR compliant.
Which document shredder is GDPR compliant?
If files and documents contain personal data, their destruction in accordance with data protection laws must be carried out without fail. The use of a GDPR-compliant document shredder is recommended for this purpose.
But when is a document shredder GDPR compliant?
There are various security levels which document shredders meet – or don’t meet. The more sensitive the data are, the higher the security level of the document shredder should be to ensure data protection. A description of the different protection classes and security levels can be found on our site Security Levels and Protection Classes. A document shredder is GDPR compliant when it has a security level of at least P-4 (recommended by the HSM experts).
HSM therefore recommends a GDPR-compliant shredder with a security level of at least P-4. The amount of data to be destroyed and other criteria should also be considered when purchasing a suitable shredder.
For data with higher sensitivity, we recommend the purchase of a shredder with a higher security level. These levels are determined by ISO/IEC 21964 (DIN 66399).
Which Security Levels are there for Paper & which one is needed when?
There are a total of 7 security levels for paper, each with their respective requirements. To put it simply: the higher the number after the “P“, the finer the paper is shredded by the document shredder. That means that the smaller the particle size or strip width of the shredded paper, the higher the security level and therefore the more difficult it is to reconstruct the information.
- Suitable for general documentation such as catalogues, brochures
- Strip width max. 12 mm
- Shreds an A4 document into approx. 17.5 strips
- Easily possible to reconstruct the information
Security level P-2
- Suitable for internal information such as old instructions, travel guidelines, notices
- Strip width max. 6 mm
- Shreds an A4 document into approx. 35 strips
- Possible to reconstruct the information with a certain effort
Security level P-3
- Suitable for sensitive and confidential as well as personal data such as turnover analyses, offers with personal address data
- Particle size max. 320 mm²
- Shreds an A4 document into approx. 194 particles
- Data reconstruction only possible with considerable effort
- Suitable for particularly sensitive and confidential data as well as personal data such as balances, salary statements, personal data, employment contracts
- Particle size max. 160 mm²
- Shreds an A4 document into approx. 389 particles
- Data reconstruction only possible with extraordinary effort
Security level P-5
- Suitable for information of existential importance which has to be kept secret such as medical reports, patents, design documents
- Particle size max. 30 mm²
- Shreds an A4 document into approx. 2.079 particles
- Data reconstruction only possible with an undefined amount of effort
Security level P-6
- Suitable for documents which are to be kept secret and which require extraordinary security precautions, e.g. research and development documents, official areas
- Particle size max. 10 mm²
- Shreds an A4 document into approx. 6.237 particles
- Data reconstruction currently not possible with the available technology
Security level P-7
- Suitable for documents to be kept top secret with the highest possible security precautions such as secret service or military documents
- Particle size max. 5 mm²
- Shreds an A4 document into approx. 12.747 particles
- Data reconstruction impossible
Which Cutting Style is suitable for which Security Level?
Strip cut
In strip cut, each sheet of paper is shredded into strips of max. 6 mm wide. The length of the strips correspond to the width of the paper fed into the shredder.
Cross cut/Particle cut
Cross cut document shredders cut documents diagonally in both directions and generate small paper particles.
Micro cut
The finest of all cutting types: a special version of the cross cut which makes reconstruction of the data impossible.
Which Protection Classes are there?
The protection classes ensure that the security levels are grouped correctly. There are 3 protection classes:
| Protection Class | Application | Corresponds to Security Level |
| Protection Class 1 | Normal protection requirement for internal data | P-1, P-2, P-3 |
| Protection Class 2 | Higher protection requirement for confidential data | P-3, P-4, P-5 |
| Protection Class 3 | Very high protection level for particularly confidential and secret data | P-5, P-6, P-7 |
Normal protection requirement for internal data (Protection Class 1)
Information which, in the case of a data protection infringement, has a limited negative effect on a company, e.g. memoranda, general correspondence
Higher protection class for confidential data (Protection Class 2)
If there is a data protection violation, the affected person can be adversely affected with regards to their social position or to their financial situation, e.g. account statements, certificates or references
Very high protection requirement for particularly confidential and secret data (Protection Class 3)
Data protection violations would be an existential threat, e.g. particularly sensitive medical data, tax data
Read the full art. on ”eu.hsm.eu” .
