You are within a certain period of time, not ‘instantly’ (depending on the exact situation you are referring to). The script could take that into account (using a shorter period of time or the like)

What is hard deletion? You can restore rows from database files before vacuum runs. You can often restore data from disk sectors. Some people say SSD can remap sectors under your chair and you won't even know that your deleted data is there.

The law isn't a technical specification. You have to follow the spirit of the law. A soft deleted_at timestamp wouldn't be following the law in good faith. Having some data stuck in an unmapped section of an ssd would be within the spirit.

IANAL, but IMHO a soft 'deleted_at' timestamp along with a daily cron job that hard deletes everything with a deleted_at older than 24 hours would fall within the spirit of the law.

I agree that just having a deleted_at timestamp and old entries are never pruned would not be a good faith interpretation of the law.

From what I have seen, there is no requirement for instant deletes. Even emailing a support address and having them manually delete the data is acceptable. Most places using deleted_at never clean up the data from what I have seen though.

As long as the data is deleted within a month there should not be any GDPR concerns.

> The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay

> “Undue delay” is considered to be about a month

https://gdpr.eu/right-to-be-forgotten/