[rndgermandude]

It's not as easy as saying "there is an exemption", because courts ruled in many such cases and usually denied that argument, at least here in Germany and other EU jurisdictions I am aware of.

E.g. you cannot just keep medical records (unless you are e.g. a hospital and are required to safely keep that data) or dick pics either. Decisions about other less sensitive PII often haven't been made yet, but chances are the courts will not side with you but with the person whose PII is concerned.

What you can keep is enough information to identify the paid user in court (e.g. name and address data) and enough information to e.g. show you fulfilled your contract. E.g. if you're an email provider you probably can keep logs that show a paid user accessed your service and sent and received emails regularly, i.e. meta data about usage. What you cannot keep is e.g. the actual emails a user wrote or received or what contacts were in their address book.

Then, there are statues of limitations, e.g. in Germany usually 3 years for any debt disputes. Keeping data beyond that wouldn't be covered by exemptions, as the data would no longer be necessary to mount a defense.