It is limited to a purpose and informed. But the most surveiled country left EU some time ago (and the survelliance was entirely due to their own laws, not EUs) and it's not as bad, and better since GDPR.
So for example if you want to have cameras in your shop you have to write on the doors that you have it, who is processing that data and for what purpose.
If say you as owner wanted to give that data to police, that's within the usage and fine. If you decided to make compilation of funny people in supermarket from it, or decide to train your AI models on it, that would be illegal. There is also limitation on storage period (3 months) that can be longer only if there is some crime being investigated related to that.
More IT related example: we can log IP and stuff for security purposes but they can be used only for that; we don't need to get consent to save that for purpose of say preventing DDoS or spotting out attacks but we can't use that to do analytics without anonymizing data or consent.
There are other laws that require storing data for longer, mostly tax and money related, can't exactly use GDPR to tell bank to stop storing your financial data.
Most importantly that puts the burden of handling it on corporations; with GDPR the PII is basically "radioactive".
I think it is in pretty good compromise between "freedom to do whatever you want" and "freedom for whoever else to fuck you without consequences because they can do whatever they want" althought EU is definitely overreaching in places (like the hard-on on EVs before infrastructure is ready)
