Forget me yes.
The Danish data protection authority has published a practical guide on data minimization and the right of erasure under GDPR:
-
If you use “soft delete,” a link is deleted but not the personal information in the underlying database, this is not a real deletion.
-
Based on the purposes of the processing, and subject to legal retention requirements, the data controller must determine and document the deletion deadline for each processing.
-
Data controllers must develop deletion procedures for systems where personal data is processed and must implement a follow-up procedure to ensure deletion.
-
For accountability, data controllers may keep a log of requests received under the right to be forgotten. They should set reasonable deletion deadlines for the log.
-
Personal data must be deleted from backups if technically possible. If not, data controller must ensure that the personal data deleted from the system in operation is also removed if a backup is restored.
Read the guide.
[View source.]