GDPR Data Erasure Certificate Generator: Free Download

Reviewed by the eCycling Central editorial team - 1 June 2026. Operated by Defining Style Limited (UK Companies House 10572391, ICO Registration ZA711914). All data sources cited inline.

Under UK GDPR Article 5(1)(f) and the equivalent EU GDPR provision, every business that processes personal data must demonstrate that data is securely erased when no longer needed - and when devices are decommissioned, sold, returned, or recycled. A Certificate of Data Destruction is the standard evidence document; most data protection officers (DPOs) require one for every laptop, server, phone, or storage device leaving the business.

This generator produces a free, GDPR-aligned, NIST 800-88-compliant Certificate of Data Destruction you can complete in a browser and download as PDF. It's based on the templates used by R2v3 and e-Stewards-certified ITAD providers. Use it for laptops, servers, phones, SSDs, HDDs, tape backups, and embedded storage in printers, copiers, and IoT devices.

Generate certificate

Fill in the fields below. The certificate generates instantly. You can add up to 50 asset serials in one certificate.

Data controller (your company) Company number ICO registration Address Erasure performed by Date of erasure Erasure method Number of assets Asset list (one per line - serial number, device type, e.g. "ABC123, Dell Latitude 5520 SSD") Signed by (name) Role

Why this certificate exists

UK GDPR + EU GDPR don't mandate a specific certificate format - but they do require the data controller to be able to demonstrate that personal data was erased securely (Article 5(2) accountability principle). In practice, that means a written record showing:

What devices held personal data
What method was used to destroy that data
Who performed the destruction
When it happened
That the method is recognised industry-standard (NIST 800-88, DoD 5220.22-M, or HMG IS5)

The ICO has fined organisations for inadequate device disposal - most notably Tameside Energy Services Ltd (£20,000, 2019) for selling on a hard drive without wiping it. A standard Certificate of Data Destruction is the simplest defensible record.

NIST 800-88 vs DoD 5220.22-M vs HMG IS5

Three industry-recognised standards. They're not interchangeable - pick based on data sensitivity:

Standard	Origin	Method	Use case
NIST 800-88 Clear	US NIST (current)	Single overwrite + verify	Most common business data (HDD, SSD); GDPR-acceptable for non-special-category
NIST 800-88 Purge	US NIST	Cryptographic erase OR firmware secure erase OR degauss	SSDs, encrypted drives, devices being resold
NIST 800-88 Destroy	US NIST	Shredding, pulverising, melting	Failed drives, special-category data, devices that can't be wiped reliably
DoD 5220.22-M	US DoD (1995, withdrawn 2007)	3-pass overwrite (zeros, ones, random)	Legacy requirement in some procurement contracts - superseded by NIST 800-88 but still cited
HMG IS5 Enhanced	UK NCSC	3-pass overwrite + verify, OR physical destruction	UK Government and government-supplier data

For SSDs specifically, NIST 800-88 Purge (cryptographic erase) is the only reliably effective software method. DoD 5220.22-M overwrite was designed for spinning HDDs and doesn't reliably clear all flash cells on SSDs. If a drive can't be cryptographically erased (no encryption was enabled, or firmware doesn't support secure erase), physical destruction is the only safe route.

What to include in your asset register

For audit defensibility, the certificate should list every device with at minimum:

Serial number (manufacturer's serial, not your internal asset tag - though both is best)
Device type + model ("Dell Latitude 5520 SSD" not just "laptop")
Storage capacity (1 TB SSD vs 500 GB HDD - affects regulatory significance)

For sensitive data (HR records, customer financial data, health records), also include:

Erasure software used + version (e.g. "Blancco Drive Eraser 7.4")
Verification result (% sectors confirmed wiped)
Chain-of-custody log if the device was moved between locations before destruction

When you need a third-party ITAD provider certificate instead

This DIY generator works for most internal IT departments. You should use a third-party R2v3 / e-Stewards-certified ITAD provider's certificate (not this one) when:

Devices contained special-category personal data (health, biometric, financial, legal) - DPO usually requires third-party witness
Your organisation is subject to ISO 27001 audit (auditors prefer independent destruction evidence)
You're a financial services firm subject to FCA SYSC operational resilience requirements
You're a public-sector organisation subject to NCSC procurement rules
Volume exceeds ~50 devices (cost of internal wipe time exceeds ITAD pickup fee)

For high-volume B2B ITAD, our free quote service matches you to 3 R2v3 / e-Stewards / ISO 14001 providers in 1 business day.

Frequently asked questions

Is this certificate legally valid under GDPR?

The certificate documents your erasure activity in a format the ICO and EU supervisory authorities have repeatedly cited as acceptable evidence under Article 5(2) accountability. It is not itself a regulatory document - it is your evidence record. Final legal validity depends on whether the erasure method was actually executed correctly. For high-sensitivity data, supplement with a third-party witness certificate from an R2v3 / e-Stewards ITAD provider.

How long should I keep the certificate?

Most data protection lawyers recommend at least 6 years (statute of limitations for civil claims in England/Wales is typically 6 years). For special-category data or regulated sectors (FCA, healthcare), 7-10 years is standard. Store digitally with a hash for tamper-evidence - many DPOs use a cloud document store with WORM (Write Once Read Many) retention enabled.

Can I use this for personal devices (BYOD, employee laptops)?

Yes, but with caveats. BYOD raises a separate consent question - you usually can't wipe an employee's personal device without their written consent. For corporate-managed BYOD (e.g. an MDM-managed iPhone), selective wipe of the work container is usually permitted and should be documented with this certificate.

Do I need this for cloud-stored data too?

No - the certificate covers physical device erasure. Cloud data erasure is documented differently: typically a screenshot of the cloud-console deletion + an attestation from the cloud provider (most major clouds publish data-deletion attestations in their security documentation, e.g. AWS's NIST 800-88 attestation).

What if I can't access the device to wipe it (it's broken)?

Use NIST 800-88 Destroy method - physical destruction (shredding, drilling holes through platter / chip, or industrial pulverisation). Document the destruction with photos before, during, and after. R2v3 ITAD providers offer witnessed physical destruction with video evidence as a standard service.