DIN 66399: The Standard for Secure Data Destruction

What Is DIN 66399?

DIN 66399 is a German standard that defines how to properly destroy data carriers to ensure that data cannot be reconstructed. It replaces the older DIN 32757 standard and significantly expands upon it. This updated framework looks at the size of shredded particles. It also classifies information based on its sensitivity level.

The D.I.N. standards help businesses manage information security risks by setting clear destruction requirements. DIN 66399 is part of a wider group of DIN standards that apply across various industries. Its specific focus is on protecting data through physical and digital destruction.

Protection Classes and Security Levels

DIN 66399 categorises data destruction into three protection classes, each linked to seven security levels (1 to 7). The higher the level, the smaller the destroyed particle, and the more secure the destruction.

The 7 Security Levels of DIN 66399

• Level 1: General documents. Low security; for non-sensitive material.
• Level 2: Internal documents. Basic protection for internal use.
• Level 3: Sensitive or confidential data. Includes personal data and other private information.
• Level 4: Particularly sensitive or confidential data. Stricter shredding requirements.
• Level 5: Secret data. High-level destruction needed.
• Level 6: Highly secret data. For sensitive operations or protected sectors.
• Level 7: Top secret data. Maximum security; smallest possible particle size.

Protection Class 1 – Normal Protection

This class applies to internal or general data, which is often accessible to large groups within an organisation.

• Example data: Internal memos, general administrative records
• Impact of breach: Low; may cause limited damage to the organisation
• Personal data: Still requires protection to prevent risks to individuals’ privacy or financial well-being
• Security levels: 1, 2, 3

Protection Class 2 – High Protection

This class covers confidential data accessed by a smaller group of authorised individuals.

• Example data: HR files, customer data, contracts
• Impact of breach: Moderate to high; unauthorised disclosure could violate laws or contracts and cause significant harm to the organisation
• Personal data: Must meet stricter protection standards due to potential financial or social impact
• Security levels: 4, 5

Protection Class 3 – Very High Protection

This class is for highly sensitive or secret data, limited to only a few authorised individuals.

• Example data: Government documents, classified business plans, medical records
• Impact of breach: Severe; could lead to legal violations, safety risks, or threats to individual freedoms
• Personal data: Requires maximum protection due to potential impact on health, safety, or personal freedom
• Security levels: 6, 7

At level 7, materials are destroyed to such a small particle size that data recovery becomes virtually impossible. That’s why following the DIN 66399 norm is essential for preventing data breaches.

Material Categories: The PFOTHE Classification

The standard uses six material classifications to indicate the type of data carrier. These are always used in combination with a security level, e.g. P-5 or H-3.

• P – Paper and printed materials (e.g. documents, books)
• F – Film-based materials (e.g. microfilm, microfiche)
• O – Optical media (e.g. CDs, DVDs, Blu-ray)
• T – Magnetic tapes (e.g. cassettes, ID badges)
• H – Hard drives with magnetic storage
• E – Electronic storage devices (e.g. USB sticks, memory cards)

Each classification allows for different DIN settings, defining how thoroughly the media must be destroyed depending on its format and data type.

ISO Certification: Why It Matters

Being compliant with DIN standards often goes hand-in-hand with holding relevant ISO certifications. These international standards demonstrate that a company manages its processes in a secure and sustainable way.

• ISO 9001: Quality management systems
• ISO 14001: Environmental management
• ISO 27001: Information security management

A provider with all three certifications is more reliable. They are more likely to follow the strict processes defined by DIN 66399. These certifications are audited annually by independent bodies, offering external validation of the company’s compliance.

WEEELABEX-Compliant Recycling

Data carriers like USBs, smartphones, and hard drives often fall under the WEEE directive: Waste of Electric and Electronic Equipment. To comply with local and European regulations, it’s important to choose a data destruction partner that recycles e-waste responsibly.

Working with a WEEELABEX-compliant partner ensures:

• Full traceability of destroyed equipment
• Environmentally responsible recycling
• Compliance with Dutch and EU law

This level of transparency also supports organisations striving for sustainability and responsible IT asset disposal.

The Destruction Certificate: Full Transparency

After the data destruction process is complete, most professional companies provide a destruction certificate. This document includes detailed information about:

• What was destroyed
• When and where the destruction occurred
• The method and security level used

For organisations that hold ISO certifications, such documentation can be essential during audits. It acts as formal proof that sensitive data was handled and destroyed according to applicable standards, including DIN 66399.

Why DIN 66399 Matters

DIN 66399 provides the structure and precision needed to destroy data securely. With its 7 security levels, this standard is a must-follow for companies handling sensitive information.

Understanding how D.I.N. standards work is key. Choosing an ISO-certified, WEEELABEX-compliant partner protects your data, legal, and environmental duties.

Choose certified, transparent, and compliant destruction, and keep your organisation secure from data leaks or non-compliance penalties.