Why does it need to link the transaction that happened to a specific account? They certainly need to keep inventory records, but it's enough to note that an item was sold without linking that to a specific account.
Are we using different definitions of the term "purchase history"? To me, that means a list of purchases by a single person. You can derive PII from that, so that's a no-no under GDPR. If you just have transaction records but can't group them by customer, then that's (probably) fine.
Also note that sometimes you're legally required to keep PII for a certain amount of time, e.g., invoices with PII for tax reasons. GDPR says that's fine but you have to keep them for no longer than needed.
> Also note that sometimes you're legally required to keep PII for a certain amount of time
I'm not talking about legal reasons. You can keep the data regardless for any purposes as long as you remove the "personally identifiable information".
For example, you will be required to remove their exact address but you can replace that with the general area (eg. post code) as a part of your anonymization.
Are we using different definitions of the term "purchase history"? To me, that means a list of purchases by a single person. You can derive PII from that, so that's a no-no under GDPR. If you just have transaction records but can't group them by customer, then that's (probably) fine.
Also note that sometimes you're legally required to keep PII for a certain amount of time, e.g., invoices with PII for tax reasons. GDPR says that's fine but you have to keep them for no longer than needed.