Do I need to digitise all my paper documents?

No, that's not required. You may keep personal data on paper, as long as you secure it adequately. Digitising can offer advantages for searchability and security, but it's not a GDPR requirement.

How should I destroy paper documents?

Use a paper shredder, preferably cross-cut (DIN level P-4 or higher). Never simply throw documents with personal data in the recycling bin. For large volumes, you can engage a certified destruction company.

Does a data breach also apply to paper documents?

Yes. If a folder with personnel files is stolen, lost, or accessed by unauthorised persons, that is a data breach under the GDPR. The same notification and registration obligations apply as with a digital breach.

Security of Paper Documents under the GDPR

The GDPR doesn't only apply to digital data. Paper documents containing personal data must also be secured. This article explains the measures you need to take for physical files, contracts, and correspondence.

Don’t forget your paper files

Many businesses focus GDPR compliance on their digital systems, but forget that the law also applies to paper documents. A folder with employment contracts, a binder with customer data, a printout of a medical file - all fall under the GDPR.

And honestly: paper documents are often less well secured than digital ones. They sit on desks, in open cabinets, or in cardboard boxes in the attic.

Which paper documents contain personal data?

More than you think:

Personnel files - employment contracts, payslips, sick notes, performance reviews
Customer data - quotes, contracts, correspondence, order forms
Financial documents - invoices with name/address, bank statements, tax returns
Legal documents - court papers, complaints, evidence
Medical data - patient files, prescriptions, absence records

Practical security measures

Storage

Store documents with personal data in lockable cabinets or rooms
Limit access to employees who need the data for their work
Label cabinets or folders to clarify contents and who has access

Clean desk policy

Don’t leave documents with personal data unattended on your desk
File documents when you leave your workspace, even for a short break
Don’t leave incoming post with personal data open on a shared reception desk

Destruction

Use a paper shredder for documents whose retention period has expired
Cross-cut shredders (DIN P-4 or higher) offer more security than strip-cut
For large volumes: engage a certified destruction company that provides a destruction certificate
Also destroy copies, drafts, and sticky notes with personal data

Transport

Transport paper documents in locked bags or folders
Don’t leave folders unattended in your car
Send documents with personal data by registered post or courier

Don’t forget to document

As with digital security, you must be able to demonstrate what measures you’ve taken. Record:

Where paper documents are stored
Who has access
How and when they are destroyed
Which retention periods you apply

auto_awesome Document your security measures

GDPRWise helps you record all security measures, including for physical documents and files.

Start your free scan

Data Security for Paper Documents