Compliance
Compliance & Documentation
Two laws tell you opposite things. We keep you on the right side of both.
The contradiction
The contradiction you have to manage
On one hand the tax code obliges you to keep records for 10 years. On the other GDPR obliges you to delete them when no longer needed. Mishandle this contradiction and you breach one or the other — and both bring fines.
Tax code
Law 5104/2024 — Greek Tax Code
Mandates 10-year retention of tax books and supporting documents. Applies to all professionals and businesses. Failure to retain leads to fines and disputed deductions during audits.
Data protection
GDPR Article 32 + Article 17
Article 32 requires appropriate technical and organisational measures for data security (encryption, resilience, restore tests). Article 17 requires deletion when the processing purpose ends.
Audit readiness
Hellenic DPA audit — what they ask for
In a typical Data Protection Authority audit, they ask for:
- Data Processing Agreement (DPA) with every cloud provider
- Processing activity records
- Documentation of Article 32 technical measures
- Evidence of regular restore tests
- Retention & deletion policy with execution evidence
All of this is ready in your pack from day one and refreshed every year.
Deliverables
Documents we deliver
Data Processing Agreement
Legally valid DPA signed by both parties, with explicit confidentiality terms and sub-processor disclosure.
Article 32 evidence pack
Full documentation of technical and organisational measures: encryption, access control, resilience, recovery procedures.
Processing register
Pre-filled for your backup service. Ready to slot into your business's overall register.
EU sovereign
Data 100% in Europe
All data sits in Hetzner data centres in Germany and Finland. No transfer outside the EU. No exposure to the US CLOUD Act. No Schrems II concerns.