Databases don't delete data
There's this thing called data integrity which is critical to modern databases, and it's dependent upon having no data gaps, therefore "deleted" data usually isn't deleted, but simply marked as "deleted."
This isn't 100% the case, but on modern web-based systems all records (if not most) in a relational database are typically handled as program objects with one or more critical relationships to other program objects which are in turn based on database records. It's a tight-knit web, and removing one segment could bring the whole thing crashing down. To alleviate this issue, developers will typically just add a "deleted" flag to the record when a user requests that it be deleted. The record won't show up in typical data queries ("select all records not marked as deleted"), but it still exists and may even be easily accessible when a related record which hasn't been deleted is accessed.
Here a practical example of not really deleted data:
Suppose you create an account with an on-line retailer like Amazon.com, then "delete" your account after several years of on-line shopping. The retailer may mark your account deleted and make it impossible for you to log in any more, but it's extremely unlikely that your account data will be deleted as your order records needs to remain accessible to the retailer for the sake of keeping its financial and inventory records correct, and for the sake of "data integrity" those order records need to be associated with a user account record.
A less practical but still likely example:
Suppose you create an account with a social network like Facebook. After years of use you decide you're done with the social network and request that your account be deleted. Your profile may "disappear" from the internet, along with all your posts and comments, but other users have made several comments on your photos, videos, and other posts. Unless these other users' comments are deleted off of their accounts when your account is deleted, they still exist and still point to your account and therefore need your account to exist, albeit flagged as "deleted," for the sake of data integrity.
It *is* possible to anonymize old data, by overwriting names, phone numbers, e-mail/IP/physical addresses, credit card numbers, etc. with blank, random, or generic information like "deleted," but it takes a *lot* of extra time and effort, and the opposition to this is 1) employers are reluctant to spend any money on having the developers go the extra mile to scrub data which *supposedly* nobody will ever look at again, and 2) most programmers are notoriously lazy bastards who will take any shortcut to make their work go faster, including skipping the development of "unnecessary features."
Also to consider is that a properly operated web service should regularly make backups of its database. That old backup may include your personal data from before it was deleted, and how long that backup is preserved before being deleted can vary anywhere from a few months to never. If that backup were to fall into the wrong hands, it could be put to misuse as easily as a compromised live database.