Just linking to the root of the documentation itself doesn't help much. The relevant info appears to be Article 17, but even it makes no explicit mention of backups. There is this line, though; "[T]he controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data." This is not clarified in Article 23, Restrictions, so the logical meaning would be that even backups - assuming they are not read-only which would make this, at least in the minds of people who understand the technical limitation, unreasonable - must be purged of user data on an account deletion request. However, "reasonable to people who understand the technology" is not synonymous with "reasonable to people who make/enforce the law."
My previous employer had a "delete on restore" id list, if we ever needed to restore from a backup. My manager said that this should be sufficient for offline backups. They had a lawyer who had said it's OK but I of course don't have the full picture.
It is however a risk, too. The drives are encrypted, without power and not even networked but they can still be stolen together with the encryption key from the same building. But then probably you have bigger problems.
This also forces the systems that test the backups to be also offline, which is a huge hassle.
> Just linking to the root of the documentation itself doesn't help much.
I’m sorry, I didn’t have time to find a good specific reference, so I just linked to the whole document.
I suppose that a technical solution is to encrypt all backups of user data with one key per user. Then you only have to erase that user’s key if necessary.
