The answer is no. The fact that personal data is publicly available (e.g., on social networks, directories, or institutional websites) does not eliminate the application of the rules imposed by the GDPR, nor does it automatically transform this data into “free data”.
Recital 26 of the GDPR clarifies from the outset that “The principles of data protection should apply to any information relating to an identified or identifiable natural person.” This means that, even when data is accessible to the public, the data controller remains bound by a legal basis, the principles of lawfulness, minimization, and transparency, as well as the duties of information.
Access to data does not equate to legitimacy for processing; and publicly accessible is not synonymous with free use.