I hit them with the fact that a person controlling the e-mail address can use their ‘Forgot password’ feature to take control over the account and access my sensitive data they’re in possession of or steal my identity using their own services.
this was their excuse to why they won't delete my info without proof of ID.
I told them no, I told them that if my bank or phone provider or online grocer who all have much more important and sensitive info, namely my payment/bank details, can verify me without extra documentation, so can they, they still said no.
So I've filled a complaint with the ICO, there's fuck all else I can do unfortunately..
Took me a minute to find, but that's really great info, thanks!
I've already filled a complaint with the ICO since the company continued to refuse to delete my data, so we'll see what they come back with (their own guidelines say something very similar - "they should only ask you for just enough information to be sure you are the right person") if they side with the company I will definitely be quoting these guidelines.