It should definitely no longer be in a system that could attempt a transaction or other checks, it should be archived.

So definitely some sort of case here for sure

This is just from memory and I haven’t double checked it but.

There’s exemptions in GDPR, and some of them are related to financial, tax and safety stuff.

A company has to be able to prove legitimacy of transactions for 10 years in most of Europe, so keeping your card details and transaction history etc for 10 years is within GDPR exemptions for sure.

The real issue here is why the card of someone who has otherwise completely ended their customer relationship with the business was accessed in any way.

I solved this issue with the magic of a black whiteboard marker.