Presumably these fall into the "processing is necessary for compliance with a legal obligation to which the controller is subject;" (Article 6(1)(c)) category, no?
I agree, I just wanted to point out that it is also a source of personal/sensitive data that ought to be tracked. Even if you have a legitimate interest to process/store the data that allows you to not seek consent or to deny the right to be forgotten for instance you still need to put in place measure to store the data securely, define a date at which the information will be deleted, measures to mitigate the risk,... etc.