Keeping an email address or mobile number might be appropriate but not bank details, passports etc,.
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/
If this is true Arnold Clark have fucked the pooch here.