Shredding Standards Explained: DIN 66399 Security Levels and How to Choose the Right One

When you destroy documents or media, you’re safeguarding customers, employees, and your organization’s reputation. DIN 66399 security levels give you a clear, auditable way to match destruction methods to risk so confidential data destruction is consistent, defensible, and effective.

This guide explains the DIN 66399 classification codes, how particle size specifications work, and practical steps to choose the right level for your records and devices.

Overview of DIN 66399 Standard

DIN 66399 is a standardized framework for secure data destruction across paper and digital media. It defines data sensitivity categories (protection classes), security levels (1–7), and media types so you can select equipment and processes that deliver security level compliance.

The standard brings three ideas together. First, it classifies media by type because paper, optical discs, tapes, and solid-state devices break down differently. Second, it assigns security levels that scale from basic to extremely high protection. Third, it sets measurable shredding performance criteria you can test and document.

Each destruction task is expressed as a DIN 66399 classification code, such as P-4 for paper or H-5 for hard drives. With a single code, you communicate both the media and the targeted protection level to staff and vendors.

Classification of Security Levels

DIN 66399 defines seven ascending security levels. As the level increases, allowable particle dimensions get smaller and reconstruction risk drops.

• P-1: Large particles for low-risk, general information where reconstruction poses minimal harm.
• P-2: Reduced particle size for internal documents not intended for public release.
• P-3: Smaller particles for sensitive information requiring hindered reconstruction.
• P-4: Cross-cut particles for confidential information; a common baseline for many businesses.
• P-5: Micro-cut particles for secret or highly sensitive records where reassembly must be highly impractical.
• P-6: Very small particles for very high security needs and elevated impact if compromised.
• P-7: Ultra-fine particles for the highest protection, where any disclosure would be catastrophic.

Media categories and DIN 66399 classification codes

Media types carry letter prefixes. Common categories include P (paper), F (film), O (optical media), T (magnetic tapes), H (hard disk drives), and E (electronic data media such as SSDs, USB drives, and memory cards). Combine the letter with a level to form a complete code (for example, P-5, H-5, or E-6).

Protection classes (data sensitivity categories)

• Protection Class 1 (normal): internal data; typically P-1 to P-3 (and equivalent levels for other media).
• Protection Class 2 (high): confidential data; often P-3 to P-5.
• Protection Class 3 (very high): strictly confidential or secret data; typically P-5 to P-7.

Data Sensitivity and Security Level Matching

Match the level to the business impact if information is exposed. Start with the data’s sensitivity, then consider legal duties, partner expectations, and the threat environment.

• General office material (drafts, brochures, routine memos): P-2 to P-3.
• Operational records (invoices, client correspondence, internal reports): P-3 to P-4.
• Confidential business data (HR files, payroll, non-public financials): P-4 to P-5.
• Strategic or legal data (IP, R&D notes, M&A files, attorney-client materials): P-5 to P-6.
• Highest-risk data (state secrets, defense, critical infrastructure plans): P-6 to P-7.

For non-paper media, apply the same logic using the relevant category codes. Examples: E-5 or higher for SSDs storing sensitive data, H-5 or higher for hard disk drives with confidential records, and O-4 or higher for optical discs containing restricted information.

Particle Size and Shredding Requirements

Each security level has particle size specifications that cap the maximum particle surface area and, for many levels, the maximum particle width. Higher levels mandate smaller, more uniform pieces to reduce reconstruction feasibility.

Cut type matters. Strip-cut machines generally serve lower levels, while cross-cut and micro-cut achieve tighter requirements at P-4 and above. Disintegrators and pulverizers are often used for higher levels and for non-paper media where shredding must produce fine granules.

Performance and verification

To claim security level compliance, your destruction process must consistently produce particles that meet or are smaller than the level’s thresholds. Verify with representative test runs, measure particles, and retain results as part of documented destruction protocols. Evaluate additional shredding performance criteria such as throughput, duty cycle, jam detection, thermal safeguards, and dust control to ensure reliability at scale.

For magnetic and electronic media (T, H, E), you may combine methods—such as degaussing plus shredding or shredding plus disintegration—to achieve the targeted level and lower residual risk.

Guidelines for Selecting Appropriate Security Levels

• Classify your information. Map record types to data sensitivity categories (internal, confidential, strictly confidential) and note potential harm from disclosure.
• Identify legal and contractual drivers. Align levels to obligations stemming from privacy, financial, healthcare, or government requirements, as well as customer and partner mandates.
• Match media to codes. Choose P, O, T, H, or E depending on the asset, then select the security level that meets your risk tolerance.
• Balance risk and operations. Higher levels increase cost, maintenance, and time; plan for capacity, noise, dust, and waste handling.
• Standardize with policy. Define DIN 66399 classification codes for common record types and embed them in retention schedules, labels, and work instructions.
• Decide in-house vs. vendor. If using a service provider, require proof of security level compliance, equipment capabilities, background checks, and secure chain of custody.
• Test before rollout. Run acceptance tests with real materials, confirm particle outcomes, and document the method as part of your quality system.

Applications and Compliance Considerations

Commercial organizations typically set P-4 as the floor for confidential office documents, reserving P-5 and above for higher-risk records. Financial, legal, and healthcare teams often choose P-5 for routine confidential files and P-6 for especially sensitive matters.

IT asset disposition programs use H- or E-coded levels to address rotating HDDs and SSDs. Where records span media types, harmonize on the strictest applicable level to simplify training and audits.

For audits, retain certificates of destruction, equipment specs indicating supported levels, test results, collection logs, and transfer receipts. These artifacts provide a defensible trail that your confidential data destruction followed documented destruction protocols.

Best Practices for Document Destruction

• Adopt a simple labeling scheme that maps record types to specific DIN 66399 classification codes.
• Use locked consoles and tamper-evident containers; limit who can access full bags or bins.
• Empty containers on a fixed schedule and shred as close to the point of use as practical.
• Avoid overfeeding; maintain blades, lubricate per manufacturer guidance, and monitor dust and noise limits.
• Mix shredded output with other material to further hinder reconstruction, and secure waste transport and storage.
• For digital media, combine logical sanitization (where appropriate) with physical destruction that meets the target E, H, or T level.
• Train staff, spot-check particle outcomes, and keep a simple log to prove ongoing security level compliance.

By classifying your data, selecting the right DIN 66399 security levels, and enforcing clear, documented destruction protocols, you create a practical, audit-ready defense against data leakage across paper and digital media.

FAQs.

What is the purpose of DIN 66399 shredding standards?

DIN 66399 establishes a common language and measurable criteria for secure destruction. It helps you choose equipment and methods that produce particles small enough to prevent reconstruction, and it standardizes documentation so you can prove compliant, confidential data destruction.

How many security levels are defined in DIN 66399?

The standard defines seven security levels, numbered 1 through 7. Level 1 is the least stringent, and Level 7 is the most stringent, requiring the smallest particles and the highest protection.

Which security level is suitable for highly confidential data?

Highly confidential data generally maps to Levels 5 to 7. Many organizations select P-5 for sensitive records, P-6 when the impact of disclosure is very high, and P-7 for the most critical or classified information. Apply the same logic to other media using their lettered codes (for example, E-6 for SSDs).

How is particle size related to security levels in shredding?

Each higher level requires smaller particle size, which lowers the chance of reassembly. DIN 66399 sets maximum particle surface area and, for many levels, maximum width; your process must consistently produce pieces at or below those thresholds to meet the selected level.