To think that any company anywhere actually removes all data upon request is a bit naive to me. Sure, maybe I'm too pessimistic, but there's just not enough evidence these deletes are not soft deletes. The data is just too valuable to them.
But see, the requires two totally different workflows. It would just be easier to soft delete for everything and tell everyone that it's a hard delete.
I've never been convinced that my data will be deleted from any long term backups. There's nothing preventing them from periodically restoring data from a previous backup and not doing any kind of due diligence to ensure hard delete data is deleted again.
Who in the EU is actually going in and auditing hard deletes? If you log in and can no longer see the data because the soft delete flag prevents it from being displayed and/or if any "give me a report of data you have on me" reports empty because of soft delete flag, how does anyone prove their data was not soft deleted only?
What would a company that does that, hypothetically, then tell a user that requests their data held by the company reply? With their soft-deleted data, or would they say they have no data?
They would obviously say we don't have the data. And to keep that person from "lying", the people that have the role to be able to make this request would have their software obey the soft delete flag and show them "no data available" or something like "on request of user, data deleted on YYYY-MM-DD HH:MM:SS" type of message. who would know any different?
That’s fake news from a hacker. Just look at the data we have. The data they say we have, we don’t. They clearly made it up. It works in politics, so why not in tech?
