Data destruction according to DIN 66399 GDPR and ISO 27001 compliant

Companies and authorities regularly have to destroy data carriers that are no longer needed. Some data storage media are in the form of paper files or print media. Hard drives, DVDs, USB sticks, SSDs and tapes must also be destroyed in accordance with DIN 66399. In practice, the variety of data carriers poses major challenges for the affected organizations.

Consequently, you have to proceed systematically in order to meet DIN 66399 as well as the data protection requirements (GDPR). Companies certified according to ISO 27001 must proceed according to their security measures when destroying information media.

The following types of data storage media contain sensitive information:

  • Products such as paper in different sizes
  • Microfilms and foils also contain data that needs to be protected
  • Optical data carriers (CD, DVD, BlueRay).
  • Magnetic data carriers (ID cards, credit cards)
  • Hard drives with mechanical disks
  • Electronic data carriers such as chip cards and tokens

Protection grades according to DIN 66399

The DIN 66399 standard defines the different protection classes to which data carriers are assigned:


  • Security level 1: General written material (e.g. brochures, catalogs)
  • Security level 2: Internal documents that are not particularly confidential (e.g. forms, guidelines, travel expense regulations)
  • Security level 3: recommended for confidential documents (e.g. offers, orders, documents with addresses)
  • Security level 4: documents that must be kept secret (e.g. personnel data, tax documents)
  • Security level 5: for maximum security requirements (e.g. medical reports, strategic plans)
  • Security level 6: secret service security requirements (e.g. research and development documents)
  • Security level 7: Data carriers with data that must be kept strictly secret if the highest security precautions must be observed (e.g. data from secret service or military areas)

The legal requirements of the GDPR (and other laws) apply to paper files and data carriers. Digital data must also be deleted after a prescribed period of time, in accordance with the requirements of the GDPR. Companies with a functioning information security management system (ISMS) are well advised to store these requirements clearly and clearly in the guidelines of their Appendix A. This means that after the retention period has expired, these digital files must be completely deleted in accordance with data protection regulations.