[Silhouette]

While accessing any user personal details you need to have user consent to process their personal data.

Consent is only one of the lawful bases for processing data under the GDPR. In practice, it's the one almost everyone tries not to rely on unless they can't avoid it, because it comes with extra obligations that other bases might not.

[pas]

Could you list the others? Or at least provide some examples?

Basically all I know are based on either mandatory by law record keeping, or records used to fulfill whatever service/product/goods the user purchased, but even in these cases the processing must be described, right?

[Silhouette]

The GDPR itself is actually quite readable, so if you're interested in the details, you can got to the source. There's a neatly formatted version hosted here:

https://gdpr-info.eu/art-6-gdpr/

What the source material won't tell you, for better or worse, is how these are interpreted in reality by data controller, processors and regulators. The two main things to know in that respect are:

1. Relying on the subject's consent is usually the last resort. It comes with lots of extra strings attached.

2. The "legitimate interests" provision is open to interpretation. It is widely used as an excuse for processing that many of us might consider far from desirable. But it is also a risk for data processors doing things many of us might consider reasonable, because any regulator can take a different view and they get to win by default.