I suspect the GDPR questions about facial recognition will run and run. There are in fact several layers to it.
# There needs to be some basis for collecting the face data which, at the time of collection, included an explanation of the planned purpose.
# There needs to some basis for collecting the CCTV images at the point of use.
# Once facial recognition has taken place the resulting data must only be processed in a way which is compatible with both data collection justifications.
# If, in either collection point, consent is used then a proper explanation of how the data will be processed needs to be provided.
# Given that GDPR explicitly makes it unlawful to make collection of inessential information a condition of any service (such as entering a shop), then no matter what signs you put up the shop cannot assume consent and as such needs a lawful basis for collection other than user consent.
Based on these I cannot see how facial recognition can be used in a commercial setting without either explicit fully explained consent (Amazon shop) or if it is being used for some specifically permitted purpose. This is likely to be difficult around use versus shoplifters as it is likely that the only lawful use would be to draw staff attention to who to watch as it could not, on its own, be used as the basis for any positive action without running into severe GDPR problems.
Obviously, none of this bothers the companies involved because they are specifically planning for the European market and, of course, almost anything goes in the USA. It is likely that this is why everyone is so concerned about racial bias as that would make positive action on such evidence unlawful in the USA.