The GDPR isn't about concrete limits, but concrete permissions. A lot of people have been struggling to make sense of this, because it totally inverts how we currently think about personal data.
The collection, storage and processing of personal data is presumed to be unlawful by default, unless it is for a specific, explicit and legitimate purpose. These core principles are set out in Article 5 and they are well worth reading and reflecting on.
Did the user give you explicit and informed consent for a specific use a specific piece of data? Is your use of data absolutely essential to fulfil your contractual obligations to that user? Are you required by law to collect and store that data? Is your use of data essential to preserve human life? If you can't confidently say yes to at least one of those questions, then you're probably in breach.
The collection, storage and processing of personal data is presumed to be unlawful by default, unless it is for a specific, explicit and legitimate purpose. These core principles are set out in Article 5 and they are well worth reading and reflecting on.
https://gdpr-info.eu/art-5-gdpr/
Did the user give you explicit and informed consent for a specific use a specific piece of data? Is your use of data absolutely essential to fulfil your contractual obligations to that user? Are you required by law to collect and store that data? Is your use of data essential to preserve human life? If you can't confidently say yes to at least one of those questions, then you're probably in breach.