Re: Reminds me of PCI Compliance
No he'd be right. They don't need to retain that data to provide the service he has contracted them for so in fact they would not be permitted to retain it in the first place without consent.
And that consent must be informed and freely given and just as easy to remove as to give.
For the consumer and the citizen the GDPR is a very good thing indeed.