You have a very narrow view about what backups are used for. Which is fine for your business, but for many others, the backups are important business records. What if an employee is stealing from the company, and does it for longer than the time that your business keeps backups? You might say "oh but I keep logs", in which case you have the same problem with keeping the logs that you think you dodged by not keeping the backups.
Yes and no... the GDPR is all about purpose, and if you keep a log for the purpose of logging unauthorized access to data this is fine if you state this fact in the contract with the employee and only store and access the logs for this purpose.
You just can not keep backups of everything for the purpose of everything.
My example can not include all cases and was written in the spirit of "we are a bunch of devs with a small project". As is monal.im .
