If an account becomes inactive, it is no longer necessary to store information and so it has to be deleted.
For the record, I haven't read the GDPR stuff.
The bolded part also implies that it's not required to delete the data. It's probably not what you meant - as I'm guessing GDPR requires that companies delete information they do not need - but it's just something I noticed.
Define "inactive"... in regards to GDPR...
There are many players, myself included, who have taken more than 12 months out and appreciate that our accounts are still here with previous achievements/flags and the ability for old friends to find us by our username.
I know the definition you as a company have provided but, in a court setting, you can't argue that an account is truly inactive when a proportion of the player base have all returned after such a period. Therefore you can surely keep hold of email addresses, username, passwords and in-game purchase records.
Also, if you bought a physical product from a store and then didn't use it for 12 months, the company can't just come take that back. I'd have thought the same should apply to virtual purchases such as premium points. Your customers paid money for that. You really shouldn't have the option to take the product back because "someone isn't using it right now". It's not like it's a subscription that has expired. (
Am I wrong about this? Because of some small underlying maintenance cost of "inactive" accounts to the company? Not sure. Seems counter-intuitive.)
As
ALessonInPointWhoring mentioned above, you should delete payment information after this time frame as that's sensitive personal information that needs deleting.