Right, collecting the data in the first place was a compliance breach.
We're so used to the only kind of data protection enforcement being for data leakage - but this is actually a great example of what GDPR is really for: putting a framework around what personal data it's acceptable for companies to process in the first place.
To expand: it’s not necessarily the collection that’s bad, but that leaks will happen. It’s not a matter of if, but when. So by putting limits on what can be collected, it mitigates some of the damage of a leak.
No, it really is that collecting the data is bad! GDPR is not about making breaches less harmful (though that is a benefit) - it is about preventing businesses from secretly gathering data about you, without your knowledge, and using it in ways that harm you.
One of the ways in which a business can harm you through abusing the data they have about you is certainly allowing it to leak out - but that is very much not the only intention of data protection law.
We're so used to the only kind of data protection enforcement being for data leakage - but this is actually a great example of what GDPR is really for: putting a framework around what personal data it's acceptable for companies to process in the first place.