The retention and deletion of personal data of former employees under GDPR perspective

Based on Greek legislation, there are specific requirements regarding the retention and deletion of personal data of former employees. Here’s a comprehensive analysis of the legal framework and recommended practices:

Legal Framework for Personal Data Retention

Under Greek law and the GDPR, personal data of former employees must be retained only for as long as necessary for the purposes for which they were collected. Therefore, an indefinite retention of such data is not compliant with these regulations.

According to Article 5 of the GDPR (implemented in Greece through Law 4624/2019), personal data must be:

• Kept in a form that permits identification of data subjects for no longer than necessary
• Processed in a manner that ensures appropriate security
• Subject to appropriate technical and organizational measures

Specific Retention Periods

According to several Greek laws there are various retention periods for employee data as below:

1. Basic Employment Records: According to Article 7 of Law 3762/2009, employers must retain copies of employment contracts, notifications, and other documents they are required to provide to employees for a period of two years from their expiration date, in either printed or electronic form.
2. Data for Legal Claims: For potential legal claims or audits, data should be retained for the period within which a claim may be filed (typically up to 5 years, depending on the nature of the claim).
3. Financial and Tax Records: For tax and social security purposes, relevant employee data should typically be kept for 5 years after the end of employment.
4. Last but not least, any health data are not be retained if they aren’t associated in any case with above mentioned points.

Data Deletion Requirements

The legal framework also establishes specific requirements for data deletion:

1. Mandatory Deletion: According to Article 73 of Law 4624/2019 (as amended by Article 43 of Law 5002/2022), the data controller must delete personal data without delay if the processing is unlawful, if they must be deleted to fulfill a legal obligation, or if knowledge of them is no longer necessary for fulfilling the purposes of processing.
2. Periodic Review: The law may provide for periodic review of the storage period by the controller, including periods and criteria for review. This review should be based on the principle of storage limitation for as long as necessary to achieve the purpose of processing.
3. Secure Destruction: As specified in Article 7 of Presidential Decree 40/2025, organizations must ensure that data is destroyed in a way that ensures it cannot be recovered.

Recommended Policies for Compliance

To ensure compliance with Greek law and the GDPR, organizations should implement the following policies:

1. Data Retention Policy: Establish a clear policy that defines specific retention periods for different categories of employee data based on legal requirements and legitimate business needs.
2. Regular Review Process: Implement a periodic review process to assess whether continued retention of personal data is necessary, with the Data Protection Officer participating in this review process.
3. Secure Deletion Procedures: Develop procedures for the secure deletion or anonymization of data after the retention period expires, ensuring that the data cannot be recovered.
4. Documentation: Maintain documentation of retention periods and deletion procedures as part of the records of processing activities.
5. Technical Measures: Implement appropriate technical measures to ensure that data is automatically flagged for review or deletion after the relevant retention period.
6. Legal Hold Procedure: Establish a procedure to suspend deletion if there is an active audit, legal claim, or other legal pending matter related to the data.

Conclusion

The indefinite retention of former employees’ personal data is not compliant with Greek law and the GDPR. Organizations must establish clear retention periods based on legal requirements and legitimate business needs, and implement procedures for the secure deletion of data after these periods expire.