Are you in control of the presence of data in your database? Yes. It’s up to you to delete it when requested. Are you in control of the data on your hard drive? Yes. It’s up to you to delete it when requested. Are you in control of the operating system implementation or database implementation of deletion? No. Could you get the data back if you wanted to? Yes – but that’s not part of your usual run of business, so why would you explicitly do that? What if some bad dude steals your hard drive and then rummages through it? Ok, we are getting a little far-fetched here for most businesses that are not keeping special category data, but if this does happen, then you have failed in your security controls.