It seems that since the gpdr requires deletion of data upon user request, companies will not be able to send recall notices when, say, a medical device starts killing customers.
The GDPR does not require deletion of all user data on request. There’s still data that can and must be preserved, for example business records, thus records of sale. A recall should be possible with those records. The customer might request that these records cannot be used for unrelated purposes, though.
You’re generally allowed to keep data that is required to provide a service. So in my understanding, yes, if you provide such a service and the user requests that, you should generally be allowed to keep that info _for exactly that purpose_ You can’t use it for anything else though.