"There is an explicit exemption in GDPR for data needed to fulfil legal obligations"
There isn't an "exemption" (explicit or otherwise) as it's not needed anyway. Retention can be on any basis you choose provided you justify, document and adhere to that basis. You're even allowed to describe the basis on which you decide retention periods rather than specifying a finite duration (e.g. "until no longer required for taxation claims").
In event of challenge, the supervisory authority should however be likely to agree that your retention criteria are reasonable, so you do have to be specific whichever of the two approaches to defining and documenting it you choose to adopt.
Biting the hand that feeds IT
