That does get complicated in the real world. You might need to retain some data for potential future refunds, for example. But perhaps the application that does refunds also does the loyalty program, and the internals of the app aren't always separate enough that you can delete/obfuscate/whatever info from just the loyalty part.
> You might need to retain some data for potential future refunds, for example.
Then that would be a legitimate interest, and you could store that information for a period of time that is reasonable for processing refund requests.
But you would be barred from using that same information for a different purpose, e.g. the loyalty program.
GDPR article 25 requires systems to be have privacy built in, so a system such as the one you describe where a separation of these concerns is impossible, would probably itself be in violation of the regulation.
