[m11a]

GDPR also allows for processing for a company's "legitimate interests", which is supposed to be a balancing test, but Uber could argue it needs to process ID documents to ensure safety on its platform. If the company refuses to delete, the only option you have is to escalate to a data supervisory authority and have them adjudicate on it.

But more generally, GDPR has multiple legal bases for processing other than consent, and for any other than consent the processor might still be able to process data despite the right to be forgotten. And IME big company data processors tend to interpret these exceptions quite liberally, hoping people won't have the means to challenge their decision.

[hnbad]

That is correct and that is also crucially why all these consent modals that have a second toggle for "legitimate interest" from partners are also blatantly non-compliant: you can only use ONE legal basis for processing and if consent is sufficient to opt out, that means it can not be "legitimate interest" as defined by the GDPR.

The definitions for all these exemptions are EXTREMELY narrow and court cases have demonstrated this repeatedly. If you have a legitimate interest to verify someone's ID to establish identity that does not mean you are allowed to do the ID verification yourself (rather than relying on a third party) nor that you're allowed to use a service outside the EU (e.g. Israel) nor that you (nor they) are allowed to store that ID any longer than necessary to process it exactly once.

The GDPR dictates data minimization. If your business model is incompatible with that and it's not because of regulatory requirements, I'm sorry but we have a word for that and it's "criminal enterprise".