1. AEGEAN Group
  2. Corporate Governance
  3. Personal Data Protection
  4. Data retention policy

Data retention policy

1. Purpose


This Policy represents Aegean’s approach, regarding the retention and disposal of records and the retention and disposal of electronic documents.

The purpose of this Policy is to ensure that necessary records and data of the company are adequately protected and maintained and to ensure that records that are no longer needed by the company, or are of no value are discarded at the proper time. This Policy also serves the purpose of aiding employees of the company in understanding their obligations in retaining electronic documents - including e-mail, Web files, text files, sound and movie files, PDF documents, as well as all Microsoft Office or other formatted files.

The Data Retention Policy is in accordance with the EU General Data Protection Regulation (“GDPR”), the Greek legislation on personal data protection, as well as any secondary legislation / opinions / decisions issued by the Hellenic Data Protection Authority (“HDPA”).

2. Definitions


Personal Data: Data is considered personal, if the person it concerns can be identified directly or indirectly through a combination of data gathered.

Special categories of data (sensitive data): Personal data related to:
  • Religious, philosophical, political or trade union-related views or activities.
  • Health, genetic or biometric information, racial and ethnic origin, sexual orientation.
  • Criminal records and sanctions.
Retention Period: The period that the information is retained before it is destroyed and /or deleted. Retention periods apply to both paper and electronic records and are applied regardless of the storage medium, including their backups.

Data Processor: A natural or legal person / entity that processes personal data on behalf of the data controller as per his instructions.

3. Responsibilities


Each Departmental Head and Information Owner is responsible for the maintenance, retention and disposal schedule for physical records as well as the retention and disposal schedule of electronic documents.

Each Departmental Head and Information Owner is also responsible for making modifications to the schedule when necessary in order to ensure that he / she is in compliance with local laws and regulations that affect record retention.

The Data Protection Officer is responsible for the circulation and yearly review / update of this Policy. Furthermore, the DPO ensures that Aegean’s employees receive appropriate training and comply with the Policy in terms of personal data handling, data retention and deletion principles. The DPO serves as Aegean’s point of contact for personal data related issues, and is responsible for notifying the HDPA if a personal data related incident occurs.

Monitoring of this policy can be achieved through audits by the Internal Audit department as well as by the Quality department.

4. Data and Record Destruction


Top management and the DPO will be informed on a yearly basis, regarding the annual data and records destroyed. The retention periods are reviewed on an annual basis by Aegean’s DPO upon consultation with the Legal Department.

5. Principles Concerning the Retention of Data and Records

  • Stored data and records are safeguarded with appropriate and relevant to their classification level controls, with respect to Confidentiality, Integrity and Availability. 
  • Data and records are retained only for the period required to fulfil the initial business purpose for which they have been collected and / or created and in compliance with the applicable regulations regarding the nature of the data.
  • Personal data will be destroyed / anonymized under the responsibility of the company after the end of the period necessary to achieve the purpose of the processing and following DPO approval.
  • Upon expiration of the predefined data retention period, the company is obligated to delete the respective data. In the event that further processing is required, data may be retained for a longer period of time after considering relevant legal or regulatory obligations.
  • Aegean must destroy personal data in a secure manner to prevent unlawful and unfair processing, such as disposal to third parties.
  • If the destruction of the data is entrusted to a third party (data processor), the assignment shall be made only in writing and a destruction protocol shall be drafted and kept by both the processor and Aegean.
  • Aegean adopts appropriate technical and organizational measures to securely obtain, maintain and erase all data. The methods of collecting, retaining, and processing personal data shall be regularly evaluated and reviewed.
  • Aegean shall ensure sufficient storage space and an appropriate personal data retention system that allows easy and direct data search and set rules of controlled access and dissemination.
  • All employees and other parties working on behalf of Aegean, shall be made fully aware of both their individual responsibilities and Aegean’s responsibilities under the GDPR and under Aegean’s Data Retention Policy.

6. Applicability

This Policy applies to all physical records generated by the company’s operations, including both original documents and reproductions. It does not apply to third parties, since they are responsible for their own retention policies. It also applies to the electronic documents described above.

Aegean App

Get the best out of your travel experience with the Aegean App.

Get the App Not now