Data destruction regulations in Europe: what ITAD operators must know

Every corporate device that passes through an ITAD operator contains data. Under European law, that data must be destroyed to a documented standard before the device can be resold, recycled, or even transported. For ITAD operators, data destruction is not just a service. It is a legal obligation and the foundation of the entire business.

What is happening

The General Data Protection Regulation (GDPR) is the primary legal framework governing data destruction in Europe. GDPR applies to all personal data held on any device, and it places clear obligations on both the organisation that owned the device and the ITAD operator that processes it.

Under GDPR Article 17, data subjects have the right to erasure. Under Article 5, organisations must ensure data is not kept longer than necessary. When a business retires a laptop, phone, or server, the data on that device must be destroyed. The original organisation remains legally responsible for that data even after the device leaves its premises.

What "secure erasure" means under EU law

GDPR does not specify a particular technical method for data destruction. Instead, it requires that data is rendered irrecoverable using appropriate technical measures. In practice, the industry relies on recognised standards to define what counts as secure erasure.

The most commonly referenced standards are:

• NIST 800-88 (Guidelines for Media Sanitization) from the US National Institute of Standards and Technology, widely adopted in Europe
• IEEE 2883-2022, which provides updated guidance for modern storage media including SSDs and NVMe drives
• BSI-GS standards used in Germany for classified government equipment

Software-based overwriting is the standard approach for devices that will be resold. The erasure software writes data across the entire storage medium, including hidden areas and remapped sectors, making the original data unrecoverable. For SSDs, which handle data differently from traditional hard drives, secure erase commands built into the drive firmware are used alongside verification steps.

Erasure versus physical destruction

Not all devices can be wiped by software. Drives that are damaged, encrypted with lost keys, or from particularly sensitive environments may require physical destruction. This means shredding the storage medium to a particle size that makes data recovery impossible.

The choice between erasure and destruction has commercial implications. A device with a wiped drive can be resold on the secondary market. A device with a destroyed drive cannot, or must be sold without storage. For ITAD operators, software erasure preserves residual value while physical destruction eliminates it.

Both methods are acceptable under GDPR, provided they are documented and verifiable. The key requirement is evidence that the method used was appropriate for the risk level of the data involved.

Certificate requirements

Documentation is where many ITAD operations succeed or fail on compliance. Every data destruction event should produce a certificate that includes:

• The serial number of the device and the storage medium
• The method used (software overwrite, secure erase command, physical destruction)
• The standard followed (NIST 800-88, IEEE 2883, or equivalent)
• The date and time of destruction
• The identity of the operator or system that performed the erasure
• A verification result confirming the process completed successfully

These certificates serve as the audit trail. When a corporate client needs to demonstrate GDPR compliance to regulators or auditors, the data destruction certificate from their ITAD provider is the primary evidence. Without it, the organisation cannot prove that data was properly handled.

Some enterprise clients require certificates within 24 or 48 hours of device collection. Others require real-time reporting through a portal. The ability to generate and deliver certificates quickly and consistently is a competitive differentiator for ITAD operators.

Why it matters

Data destruction compliance is the single most important capability an ITAD operator can offer. Without it, nothing else in the chain works.

Corporate procurement teams evaluate ITAD providers primarily on data security. Price, speed, and value recovery all matter, but data handling comes first. A breach traced back to an improperly wiped device is a GDPR violation that can result in fines of up to €20 million or 4% of global annual turnover, whichever is higher.

The reputational damage from a data breach is equally serious. Organisations that have experienced data incidents through poor IT disposal practices face public scrutiny, customer loss, and regulatory attention that lasts years.

For ITAD operators, this means investing in certified erasure tools, training staff, and maintaining documentation systems that can withstand audit. It also means staying current with evolving standards, because storage technology changes and erasure methods must keep pace.

What to watch

Several developments are worth monitoring in 2026 and beyond.

The European Data Protection Board is expected to publish updated guidance on data destruction best practices, which may create a more standardised EU-wide framework. Currently, national data protection authorities interpret GDPR requirements slightly differently, creating complexity for ITAD operators working across borders.

The rise of NVMe and advanced SSD technology is challenging traditional erasure methods. Newer drives use more complex wear-levelling and data management, which means older overwrite methods may not reach all stored data. Standards bodies are updating their guidance, and ITAD operators must update their tools accordingly.

Client expectations are rising. More enterprises are requesting on-site data destruction, where the ITAD operator performs erasure at the client's premises before transporting devices. This adds operational complexity but satisfies clients with the strictest security requirements.

---

Frequently asked questions

What does GDPR require for data destruction? GDPR requires that personal data on retired devices is rendered irrecoverable using appropriate technical measures. It does not mandate a specific method, but the process must be documented and verifiable. Most ITAD operators follow NIST 800-88 or IEEE 2883 standards.

What is the difference between data erasure and physical destruction? Data erasure uses software to overwrite or securely erase storage media, leaving the device intact and resaleable. Physical destruction shreds the storage medium entirely. Both are GDPR-compliant when properly documented, but erasure preserves the device's resale value.

Do ITAD operators need to provide data destruction certificates? Yes, in practice. While GDPR does not explicitly require a certificate, organisations need auditable evidence of data destruction to demonstrate compliance. Certificates that include device serial numbers, methods used, standards followed, and verification results are industry standard.

What happens if data is found on a resold device? If personal data is discovered on a device that was supposed to be wiped, it constitutes a data breach under GDPR. The original data controller (the organisation that owned the device) bears primary legal responsibility, but the ITAD operator's reputation and contracts are also at risk.

Can SSDs be securely erased with software? Yes, but the method differs from traditional hard drives. SSDs require specific secure erase commands or cryptographic erasure rather than simple overwriting. ITAD operators must use tools that support modern SSD and NVMe erasure methods and verify the result.

---

Track refurbished IT prices in real time at ITADpricing.com