GDPR, the right to be forgotten and backup systems

As you probably already know, on May 25, 2018. new provisions on the protection of personal data enter into force - the so-called GDPR. One of the novelties defined in the regulation is the right of persons whose data we process to "be forgotten". They are defined in article 17 of the GDPR, the content of which is as follows:

Art.17

Right to erasure ("right to be forgotten")
1.The data subject has the right to request the administrator to delete his personal data without undue delay, and the administrator is obliged to delete personal data without undue delay, if one of the following circumstances occurs:
a) personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
b) the data subject has withdrawn consent on which the processing is based in accordance with art. 6 sec. 1 lit. a) or Art. 9 sec. 2 lit. a), and there is no other legal basis for the processing;
c) the data subject objects to the processing pursuant to Art. 21 paragraph 1 against processing and there are no overriding legitimate grounds for processing or the data subject objects to the processing pursuant to art. 21 paragraph 2 against processing;
d) the personal data have been processed unlawfully;
e) personal data must be removed in order to comply with the legal obligation provided for in the Union law or the law of the Member State to which the controller is subject;
f) the personal data have been collected in relation to the offering of information society services referred to in art. 8 sec. 1.

However, the client's request, which seems to be easy to fulfill, raises some doubts. Backup system administrators pay attention to the fact that deleting a single record of personal data from an archival copy, which is stored on an external medium, sometimes in an external location and Continue ...