IMHO GDPR was to prevent malicious use of personal data.
Then you should freshen up on the law. Any use of personally identifiable data, apart from a few statutory exceptions, requires the explicit consent of the person involved. Malicious is open to interpretation which is why it's not mentioned in the law.