I made a test few years back and I really regret it. I requested my sample to be deleted from the db and I downloaded the dna in my local server. Hopefully they really deleted my DNA and it didn't leak while was there.
All they'd need to do is create "shadow" companies where they store backups of the data, suddenly you can't really get them to delete your data anymore.
It requires investigations and evidence and it metes out fines for non-compliance, eventually.
A fine doesn't reverse stolen/hacked data, nor does it work particularly well on the megacorps who just eat it as the cost of doing business.
If there is more profit to be had than it would cost in fines then that's not a deterrent, its a tax.
Until the fines are proportionate to the offence (whatever the profit is/was + punitive percentage) it's only going to deter those who can't pay the current fixed rates.
Probably not even housed separately, the "deleted" tag is just now "true". That's just how pretty much all these corps roll since they can get away with it.