Personal Data Retention Rules currently applicable in Greece
Article 4 of the Law 2472/1997 (Greek Data Protection Law), as it is amended and currently applicable, provides that “in order for the processing of Personal Data to be legitimate, Personal Data must be kept in a form which permits identification of data subjects only during the period, that according to the competent Authority, is required for the objectives of its collection and processing to be achieved. When the abovementioned period lapses, the Authority may in a justified manner allow the retention of the Personal Data for historical, scientific or statistical purposes, if it considers that the rights of the data subjects or any third party are not affected in each particular case”.
The same limitation principle is, also, included in the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) commonly known as “GDPR”, which shall apply from 25.05.2018 across the Members of EU.
Article 5 of the GDPR Regulation “Principles relating to processing of personal data” provides that, “Personal data shall be: (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)”.
As far as the currently applicable in the Greek legislation retention – storage limitation periods are concerned, the main legal provisions regarding data retention are provided in the Article 250 of the Civil Code and in the Article 7 of the Law 4308/2014 on Greek Accounting Standards.
However, specific documents including specific personal data may be subject to specific regulations such as:
Law 4174/2013 Greek Code of Tax Procedure “CTP”
Law 4308/2014 Greek Accounting Standards
Employment Law and Law 4387/2016 regarding Social Security
Banking Regulatory Framework (for documents related to anti-money laundering issues)
The general rule emerging from the Civil Code is that the documents need to be retained for five (5) years, same as the limitation period for claiming damages out of commercial disputes.
Article 7 of the Law 4308/2014 on Greek Accounting Standards stipulates that accounting and fiscal records need to be stored for a period of five (5) years commencing from the end of the financial year that they concern, if not otherwise ruled.
Articles 13 and 36 of the Law 4174/2013 (Greek Code of Tax Procedure) provide that the company’s books and records must be stored for at least five (5) years.
As an exception, in case of any tax evasion allegations the storage – retention period extends to twenty (20) years, commencing from the end of the financial year that the records concern.
As far as the relationship between employer and employee is concerned, the company is obliged to keep the documents for a period of five (5) years.
However, the limitation period for the competent authority of Social Security to raise claims affects the retention period of employees’ records.
The limitation period for the competent authority of Social Security to raise claims is twenty (20) years, as per the provisions of Article 95 of the Law 4387/2016, amended by the Article 29 par. 2 of the Law 4445/2016. Therefore, the company is obliged to retain employee related documents for a period up to twenty (20) years.
Kindly find below a brief overview of the retention periods (minimum and maximum) categorized per document:
– General legal documents – five (5) to twenty (20) years
– Annual reports – five (5) to twenty (20) years
– Accounts and records – five (5) to twenty (20) years
– Balance sheets – five (5) to twenty (20) years
– Banking documents or loan related documents or credit related documents – five (5) to twenty (20) years
– Employee records – five (5) to twenty (20) years
Taking all the above into consideration, the currently applicable Greek legislation provides for the abovementioned retention periods regarding documents including Personal Data.
The Regulation 2016/679, which shall apply from 25.05.2018, includes the same principle for storage limitation.