Art. 11 (2) (a) Data Act (COM Proposal)

"A data recipient that has, for the purposes of obtaining data, provided inaccurate or false information to the data holder, deployed deceptive or coercive means or abused evident gaps in the technical infrastructure of the data holder designed to protect the data, has used the data made available for unauthorised purposes or has disclosed those data to another party without the data holder’s authorisation, shall without undue delay, unless the data holder or the user instruct otherwise:

(a) destroy the data made available by the data holder and any copies thereof;

[...]"