[giancarlostoro]

Its likely not deleted in backups is my suspicion. I dont know what policies some companies have in regards to backups.

Also some companies always had the option for years.

One good test might be to create Facebook and instagram accounts, then upload images, save direct links to those images. Delete the accounts and see.... If the links work after clearing cache / a few days / weeks / months... Then yeah they just keep your data but detach it from friends and your email / password.

[Hitton]

Indeed it isn't deleted from backups. And according to [1] it doesn't have to be. In the company I work for it's handled the way that we have a list of subjects (their id in database) who requested deletion and after restoring any backup the subjects' data from the list is deleted again.

[1]: https://www.itgovernance.eu/blog/en/the-gdpr-how-the-right-t...

[Metus]

So do those records get deleted eventually? Or do they live on forever like some kind of ghost?

[giancarlostoro]

I think I am okay with this. So long as nobody is doing analysis on the data, it should be ok.

[jefftk]

Direct links probably end up in their caches. If they stop being visited then you're fine and they'll be evicted, but intentionally evicting data that's been deleted is one of the hardest parts of implementing full deletion.

[polskibus]

GDPR lawyers told me it should be deleted from backups if it is doable without breaking the integrity of the backup copy. If it could break the integrity or is technically impossible, then the company should have a list of all records to be deleted after restoring a backup and ensure that this list will be processed on each backup restore.