Forget me yes.

The Danish data protection authority has published a practical guide on data minimization and the right of erasure under GDPR:

  • If you use “soft delete,” a link is deleted but not the personal information in the underlying database, this is not a real deletion.
  • Based on the purposes of the processing, and subject to legal retention requirements, the data controller must determine and document the deletion deadline for each processing.
  • Data controllers must develop deletion procedures for systems where personal data is processed and must implement a follow-up procedure to ensure deletion.
  • For accountability, data controllers may keep a log of requests received under the right to be forgotten. They should set reasonable deletion deadlines for the log.
  • Personal data must be deleted from backups if technically possible. If not, data controller must ensure that the personal data deleted from the system in operation is also removed if a backup is restored.

Read the guide.