The requirement exists unless the company is under legal obligation to retain something. I had one case where I requested a GDPR data dump followed by a full deletion, and apparently whoever executed the request deleted first and then processed the dump, so I was able to see that what they did was change my email address from [email protected] to username#[email protected] - meaning that login attempts, password resets etc. would clearly fail, and a further attempt to request my data revolving around my email address would be unsuccessful, but ultimately all my data was still accessible somewhere. Whether they’d then proceed to delete it after the retention period, who knows. I intended to follow up but forgot…
The requirement exists unless the company is under legal obligation to retain something. I had one case where I requested a GDPR data dump followed by a full deletion, and apparently whoever executed the request deleted first and then processed the dump, so I was able to see that what they did was change my email address from [email protected] to username#[email protected] - meaning that login attempts, password resets etc. would clearly fail, and a further attempt to request my data revolving around my email address would be unsuccessful, but ultimately all my data was still accessible somewhere. Whether they’d then proceed to delete it after the retention period, who knows. I intended to follow up but forgot…