I think this process was the first actual change in my behaviour I noticed in response to GDPR: I actually did not mind providing my phone number that much, and trusted that they actually deleted it when I requested them to (using an option in the interface) after my account was re-approved.
They definitely do not delete it entirely because sometimes a phone number is prevented from being added to more accounts for a few days or weeks, saying "This phone number is already registered with another account" even if it's been already deleted from all accounts, though they may be just storing a hash of the number that's not linked to any user account.
