All "personally identifiable" information stored in any sort of retrieval system by an EU company must obey the rules. A shoebox full of unsorted hand written letters is not a retrieval system, a list of railway stations is not personal, a novel is not information for this purpose.
Such information must be stored for a specific purpose, the subject must be told the purpose and consent to it. Using the information for another purpose is illegal. Giving the data to another entity, except if the subject was told this was part of the purpose, is illegal. Moving the data out of the EU is illegal, except if these rules can be enforced elsewhere.
The subject is entitled to see all information you have about them, and you must correct errors which are reported to you. You may charge a "reasonable" (most jurisdictions interpret this quite narrowly) access fee and demand some evidence of their identity.
You must destroy any information you no longer need. You should have explicit policies justifying any data retention and scoping it appropriately.