IMHO GDPR was to prevent malicious use of personal data.
Then you should freshen up on the law. Any use of personally identifiable data, apart from a few statutory exceptions, requires the explicit consent of the person involved. Malicious is open to interpretation which is why it's not mentioned in the law.
Biting the hand that feeds IT
