It's surprising but the EU tends to be one of the most stringent regions to work in both when it comes to totally permanently deleting things and when it comes to never ever deleting things - as with anything like this where there is a debate (rather than a settled best practice) there are some times when soft deletion is appropriate and necessary (i.e. to adhere to log retention requirements common in the EU) and some times when it's unnecessary... and the occasional fun time when it's both necessary to support soft deletes and hard deletes - when logs need to be retained for auditing purposes but also when some users can force a hard delete (leading to that data either being purged or moved to an archive storage if it's still needed for auditing purposes).

The world is almost never as simple as it seems.

GDPR is probably the worst piece of law ever written.

If an account is linked to invoices, it is perfectly reasonable to keep personally idenfitiable information for up to 10 years (would depend on each member state, but I don't think any have laws requiring you to keep invoices for more than 10 years). And because of that legal requirement you can justify keeping an audit trail of everything relevant for those transactions.