Companies would have to make it clear that they are holding the information for a specific purpose, which in this case would be complying with right to work in the uk legislation. Legal obligations are an exemption under GDPR, so the fact businesses have a statutory obligation to do this means...