In this case, you would still leak the data you had on the user. In France, according to the CNIL's recommendation, you can keep users' data in backups but you have to notify in clear words them that their data is kept X years.
As a side note, the CNIL also clarified things the author have issues with, for instance "without undue delay" is set to 30 days. In the UK, I've read they backups for specific users must be deleted when technically possible. I'm not sure how that works in practice.
As a side note, the CNIL also clarified things the author have issues with, for instance "without undue delay" is set to 30 days. In the UK, I've read they backups for specific users must be deleted when technically possible. I'm not sure how that works in practice.