Does a business have to delete information from their point of sale system pursuant to a deletion request?

If a company receives a right to be forgotten request, does it have to delete the requestor’s IP address from its weblogs?

If a company receives a ‘right to be forgotten’ request, does it have to delete the request itself?

If a company experiences a data security breach, and receives a “Right to be Forgotten” request from a data subject whose information was involved, does the company have to delete the information that they have about the individual?

Do the CCPA and the GDPR have the same exceptions to the right to be forgotten?