I think I've asked this in many prior threads, but maybe I'll repeat it here.

Europeans often explain that they see the need for strong privacy laws because of their experience with totalitarianism (Nazi and Communist regimes). But most of those laws regulate private-sector databases and private-sector data collection, not law enforcement or intelligence; and many of them actually contain explicit exemptions for governments.

Clearly, governments have made lots of use of private-sector databases, so it's not as though they're not a risk if you're concerned about totalitarianism. But wouldn't it make sense to focus more on the state than on the private sector?

I know Europeans (especially in the 2000s) have been quicker than people elsewhere to endorse the idea that all state activities (including those of security agencies) need a legal basis and should comply with necessity and proportionality. So that's cool. But I still don't see how the intuition works like "the SD / Stasi / KGB were spying on everyone and that was awful, so we obviously see it's important to restrict ... private-sector databases! but not (as much¹) state access to financial, travel, location, and communications data".

¹ clearly there are some regulations, and they get fought over in constitutional and European courts, but there's also a ton of "we have to make sure the state can monitor people" initiatives all over Europe!

"GDPR delete request" is only allowed for treatments based on consent, which is only one of the 6 legal basis in the regulation. So you won't never be able to delete a credit card transaction.

What GDPR gives you, is to know which data is kept, for how long and with access to whom. It also forbids for a bank to give your these information to Google or Facebook, for example.