Data controllers must delete the users' personal data if they are asked to do so, according to the GDPR, except in some cases that don't really apply here. But what if that personal data has ended up somewhere else on the internet, maybe on a search engine like Google, or maybe in multiple places that might even be difficult to spot completely, often because some crawling bots have copied the data? I'm not talking about a data breach, where somebody gets unexpected and unauthorized access to data that is supposed to be private. I'm talking about data that is publicly displayed on a website, so anybody (crawling bots included) can access it. It could be a username, an email address, a little picture of you as an avatar, etc.
So here are the questions:
Who is responsible for the deletion of personal information that ended up on other websites? Should the user try to get the data deleted, or should the original website do it? For example, if a user asks me to delete some data from my website, should I also try to have it removed from Google or could I just tell the user it's none of my business and that they should go ask Google on their own?
Should a user expect all this to happen as "the way internet works", or should anything be made clear in the privacy policy? For example saying "The part of your personal data that can be publicly accessed on the internet is likely to end up on other websites that we cannot control and that might not comply with the GDPR at all"?