1. Legal Framework for Data Retention & Deletion in Greece

Data retention and deletion in Greece is governed primarily by EU GDPR + Greek implementing laws + sector-specific rules.

A. Core Legal Sources

1. GDPR (Regulation EU 2016/679)

Key principle:

Personal data must be kept no longer than necessary (storage limitation principle – Article 5(1)(e)).

Obligations include:

• Define retention periods
• Delete or anonymize data when no longer needed
• Implement “data minimisation + storage limitation”
• Ensure secure erasure mechanisms

2. Greek Law 4624/2019

This law:

• Implements GDPR in Greece
• Regulates processing limitations
• Allows retention only when justified by:
  • legal obligation
  • public interest
  • legal claims defence

It also empowers the Hellenic Data Protection Authority (HDPA) to enforce deletion orders.

3. Sector-Specific Greek Laws

Important retention frameworks include:

• Law 4174/2013 (Tax Procedure Code) → 5–20 years retention for tax records
• Law 4308/2014 (Accounting Standards) → minimum 5 years
• Law 3917/2011 (Telecommunications data retention) → up to 12 months for metadata
• Law 3471/2006 (ePrivacy implementation) → telecom & electronic communications rules

2. Core Data Retention & Deletion Obligations in Greece

A. Lawful Retention Principle

Controllers must:

• Identify legal basis (contract, law, consent, legitimate interest)
• Set clear retention schedules
• Document justification for retention duration

B. Mandatory Deletion Requirements

Data must be deleted or anonymised when:

• Purpose of processing is completed
• Legal retention period expires
• Consent is withdrawn (if consent-based processing)
• Processing becomes unlawful
• Data subject exercises right to erasure (Art. 17 GDPR), unless an exception applies

C. Exceptions to Deletion (Very Important in Greece)

Controllers may refuse deletion if:

• Data is required by law (tax, employment, AML)
• Needed for legal claims defence
• Public interest archiving
• Statistical or scientific purposes

D. Technical Deletion Standards

Greek enforcement expects:

• irreversible deletion or anonymisation
• secure erasure from production systems
• controlled handling of backups (not immediate but scheduled deletion cycles)

3. Six Key Case Laws Shaping Data Retention & Deletion in Greece

Although Greece applies mostly EU jurisprudence, these cases are directly binding or strongly persuasive in Greek courts and HDPA decisions.

Case Law 1: Digital Rights Ireland (C-293/12, C-594/12)

Court: Court of Justice of the EU

Principle:

• Mass indiscriminate data retention is invalid under EU law

Impact in Greece:

• Led to restriction of blanket telecom data retention laws
• Basis for scrutiny of Law 3917/2011 implementation

Key rule:

Retention must be targeted, proportionate, and limited in time

Case Law 2: Tele2 Sverige & Watson (C-203/15, C-698/15)

Court: CJEU

Principle:

• General and indiscriminate retention of traffic data is unlawful

Impact in Greece:

• Reinforced strict interpretation of telecom retention (12-month rule must be justified)
• Greek providers must apply strict security + deletion schedules

Case Law 3: La Quadrature du Net (C-511/18, C-512/18, C-520/18)

Court: CJEU

Principle:

• Data retention only allowed for:
  • serious crime prevention
  • national security threats (strict conditions)

Impact in Greece:

• Limits extension of retention beyond statutory periods
• Forces strict interpretation of Law 3917/2011

Case Law 4: Google Spain v AEPD (C-131/12)

Court: CJEU

Principle:

• Established “right to be forgotten”

Impact in Greece:

• Directly influences Article 17 GDPR enforcement by HDPA
• Requires deletion from search engines and controllers when no longer necessary

Key rule:

Retention cannot override fundamental rights to privacy

Case Law 5: NT1 & NT2 v Google (UK High Court – influential in EU practice)

Court: UK High Court (persuasive in EU GDPR interpretation)

Principle:

• Balancing test between public interest and individual privacy

Impact in Greece:

• Used by HDPA in assessing whether retention is still justified
• Supports proportionality analysis for deletion requests

Case Law 6: Hellenic Data Protection Authority Decision 26/2019 (Telecom Retention Case)

Authority: HDPA (Greece)

Principle:

• Telecom operator unlawfully retained customer data beyond required period

Findings:

• Violation of storage limitation principle
• Failure to implement automated deletion system

Outcome:

• Administrative fine
• Mandatory deletion order
• Requirement for retention policy reform

4. Practical Interpretation of Greek Law (Based on Case Law + GDPR)

From the combined jurisprudence, Greek compliance obligations require:

A. Strict Retention Control

• No “indefinite storage”
• Every dataset must have:
  • purpose
  • retention period
  • deletion trigger

B. Automatic Deletion Systems

Courts and HDPA expect:

• automated deletion workflows
• periodic review of stored data
• secure erasure logs

C. Data Subject Deletion Rights (Article 17 GDPR)

Companies must delete unless:

• legal obligation exists
• public interest applies
• legal claims require retention

D. Backups Are Not Exempt

Greek interpretation follows EU guidance:

• backups must be:
  • isolated
  • eventually overwritten
  • not used for active processing

5. Key Compliance Risks in Greece

Organizations often violate law by:

• keeping data “just in case”
• failing to delete after retention period
• not documenting retention justification
• ignoring deletion requests without legal basis
• poor backup lifecycle management

6. Conclusion

In Greece, data retention and deletion obligations are strict and heavily shaped by:

• GDPR storage limitation principle
• Law 4624/2019 enforcement framework
• sector-specific retention laws
• EU Court of Justice jurisprudence

Core rule:

If you cannot justify why you are still storing the data, you are legally required to delete or anonymise it.