I don't know. I did a subpoena to Verizon once for a guy accused of murder who I knew was innocent. There's a long story about how the guy didn't want to admit to police he wasn't at the scene of the crime because it would have to out him as having a gay lover, which he was worried about. He'd been in jail for 6 years at this point. I said we should subpoena his cell tower records to prove he was away from the scene, and we did, but Verizon came back and said they deleted them after 5 years.

tl;dr: they do delete them, but Verizon said it has a 5 year retention

As part of a GDPR data access request, my mobile ISP denied having access to data such as which cell towers I am or have been connected to. Wasn't sure what to make of that. They are a virtual provider but, like, surely if the police comes knocking they suddenly find a way to that data... or does the police not knock at theirs but at the network operator's? Is the virtual operator then not the data controller, should I send access requests to suppliers? But then the data controller is not required to give a list of suppliers, just a list of 'categories' of third parties they share my data with... so that doesn't really add up.

I know a thing or two about GDPR but it's still complex enough that I don't know what my rights / their obligations are in this case.

The best I could figure, my virtual operator was lying to me about not having my location data 24/7 recorded, but I'd be interested if anyone can tell me more.