[Geee]

Not true. You have the right to retain backups and logs etc. as long as they serve their purpose to secure your service for accidental loss of data or other security purposes and they are properly stored and secured.

What if hacker deletes your Facebook account? Under GDPR Facebook has actually obligation to keep your data safe from this scenario. Which means they have to keep logs to investigate what happened and also be able to restore your data.

You should delete backups after certain amount of time and state your policy to users.

[mattmanser]

Only if you keep them a reasonable time and the backups will gradually be purged.

You can't keep indefinite backups and comply with GDPR.

So if your 5 year old backup, which has no purpose at all, gets stolen, expect a whopping fine for being an idiot. Or your web logs get stolen and it turns out you keep them 2 years, don't expect favourable treatment as that's totally unnecessary data retention.

[krageon]

The backups that you can retain are hard to justify further back than about a year (if you even manage to do that), and if you ever use them you have to make sure the data that was deleted because of a request before is not in there again.

[Jagat]

No, GDPR requires you to delete all the data corresponding to a user within 30 days after the said user requests deletion of account. That includes backups and logs.