Does it matter when an application collects more data than they need?

The short answer is yes. The GDPR requires data minimization. This means that a supplier shouldn’t require the collection of data more than they need to provide their services. Any supplier we sign a DPA (Data Processing Agreement) with, will generally have a description of the data they collect and the purpose of the collection.
Some suppliers (especially those which offer free services) have a business model that relies on collecting all sorts of users’ data – hence, more than required. Some of these data might be sold to other parties or advertisements agencies. Some may construct users' profiles which may bring harm to individuals or even a society (for example, Cambridge Analytica). By applying data minimization, we process personal data according to the GDPR and ensure the protection of TU Delft employees and students.