Exactly. It's not just about what you collect and store, but also about what you do with the information.
You can freely collect data as a legal requirement, or for "legitimate interest" purposes such as fraud prevention. But you can't use the data you just collected for analytics without proper consent.
Contractual basis too, is often the easiest way to collect and store PII. Eg if you have a contract with someone you can often store a lot of their data to fulfil the contract.
There is meant to be a sense of proportionality, but as many things with privacy laws it's subject to interpretation and intentionally left vague.
You can freely collect data as a legal requirement, or for "legitimate interest" purposes such as fraud prevention. But you can't use the data you just collected for analytics without proper consent.