Several opening clauses provide that Member States can/must create legal bases for the processing of personal data. This mainly concerns the so-called public sector - i.e. data processing by public bodies or in the public interest. Here, the EU would often also lack the regulatory competence. However, the opening clauses can also be explained by the fact that a general law such as the GDPR could not do justice to sector-specific particularities (such as tax law). Depending on how you count, there are 4 opening clauses in the GDPR:
Processing: Art. 6 III
… if processing is necessary for compliance with a legal obligation to which the controller is subject: Art. 6 (1) (c)
... if processing is necessary in the exercise of official authority vested in the controller: Art. 6 (1) (e)
... if processing is necessary for the performance of a task carried out in the public interest: Art. 6 (1) (e)
Further processing: Art. 6 IV
"Where the processing for a purpose other than that for which the personal data have been collected is not based [...] on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1) [...]"