(no title)

"(1) Processing shall be lawful only if and to the extent that at least one of the following applies: (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;"

This is ok for GDPR complaint data processors. The reason why US companies can't be GDPR complaint is because of Article 5 and the conflict with the Cloud Act: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL... (paragraph f)

"(1) Personal data shall be: (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."

See also Schrems II: https://en.wikipedia.org/wiki/Max_Schrems#Schrems_II

It doesn't even matter if you asked for consent or have other reasons to process the data (Article 6) if you are not complying with Article 5.