I believe that you're okay in that case. Some countries in the EU require that you have financial records stored for five years, and they will always contain personal identifiable information. The GDPR states, if I recall correctly, that because some other law requires you to store the information for X number of years, the customer can't force you to delete it.
Similarly credit agencies aren't required to comply with deletion requests either. You can't simply GDPR your way out of a bad credit score.
But it's a total mess, when you read the GDPR it's clear that it's written by people with limited understanding of IT. Of cause it has to be extremely strict, otherwise you'll end up with a Cookie-law 2.0. The cookie law from the EU was read by the industry in a way that clearly wasn't intended. It made zero different to user tracking, we just got a bunch of pop-ups stating that the site uses Cookie. If you read that law as I believe it was intended, the idea would be that you could say yes to cookies or no. If you choose no, the site would disable the use of tracking cookies. But was to much work, so people just slapped a cookie pop-up on their sites.
The cookie law was never well thought out, that's why nobody read it in the way it was "intended" (what was the intent anyway). The distinction between a regular cookie and a tracking cookie doesn't exist except in the minds of the EU regulators, so no surprise that all they achieved with this was making the EU web experience horrible by default instead of opt-in horrible - browsers have let you request notification of cookies being set since forever, after all, and you can create extensions to notify you in whatever way you like.
Thanks for the clarification. This is definitely going to make lawyers rich and make it much harder to startup. The legal cost overhead benefits the establishment at the cost of startups and SMEs
Similarly credit agencies aren't required to comply with deletion requests either. You can't simply GDPR your way out of a bad credit score.
But it's a total mess, when you read the GDPR it's clear that it's written by people with limited understanding of IT. Of cause it has to be extremely strict, otherwise you'll end up with a Cookie-law 2.0. The cookie law from the EU was read by the industry in a way that clearly wasn't intended. It made zero different to user tracking, we just got a bunch of pop-ups stating that the site uses Cookie. If you read that law as I believe it was intended, the idea would be that you could say yes to cookies or no. If you choose no, the site would disable the use of tracking cookies. But was to much work, so people just slapped a cookie pop-up on their sites.