Forget me yes.
The Danish data protection authority has published a practical guide on data minimization and the right of erasure under GDPR:
- If you use “soft delete,” a link is deleted but not the personal information in the underlying database, this is not a real deletion.
- Based on the purposes of the processing, and subject to legal retention requirements, the data controller must determine and document the deletion deadline for each processing.
- Data controllers must develop deletion procedures for systems where personal data is processed and must implement a follow-up procedure to ensure deletion.
- For accountability, data controllers may keep a log of requests received under the right to be forgotten. They should set reasonable deletion deadlines for the log.
- Personal data must be deleted from backups if technically possible. If not, data controller must ensure that the personal data deleted from the system in operation is also removed if a backup is restored.