This is a seriously big loophole. Paraphrasing the various positions:

Data Controller:

“data collection is legal because we have a contract with the data subject” (iow, they claim Art.6.1(b) as the legal basis for processing)

Data Subject:

“There is no contract. I did not agree to a contract.”

Supervisory Authority:

“we do not act on contract issues”

EDPB:

“the scope of the GDPR does not include harmonization of national provisions of contract law”

I’m not finding it ATM, but somewhere in the GDPR or EDPB guidelines it says something to the effect of contract law varying across all member states, and therefore the GDPR is not applicable to contract matters and the validity of contracts cannot be assessed.

So, WTF? It’s a blatant abuse flying in the face of the GDPR when a data controller simply falsely claims a contract is in play. Since the SAs opt-out of regulating contract cases, this leaves data subjects with only direct court action.