[tick_tock_tick]

Yes, that is correct GDPR as written and as being interpreted by the courts covers every aspect of commerce, any interaction with another entity no matter how far removed, and any observable side effects of said interactions even if neither party knows of the third parties.

[swores]

Yes of course it would cover that hypothetical situation, as I said in my comment, but it would still be ridiculous in general conversation to say "GDPR does require that businesses get consent before using fridge magnets" without specifying "if personal data is involved".