When applying for a Schengen visa, an applicant is typically required to provide a proof of accommodation. Often it's a screenshot from a hotel aggregator, or an email from a hotel (if booked directly), or a letter from a friend warranting an accommodation. It may contain some numbers which may be validated on the aggregator's website. In other cases, a call to the hotel or the friend may be required to confirm that the reservation is not fake.
What is the legal basis (if any) that permits the embassy (frequently located outside of the EU) to request information about a person's reservation from a hotel, and receive a response?
I suspect there would be some data protection laws which make it illegal for the hotel to disclose information about their guests' reservations to random third parties, like a curious bystander. I also suspect that embassies are legally able to make any requests to verify the information provided in the visa application. Hence, some kind of permission or exemption is probably granted to the embassy processing the visa application.
This question is generic, about any Schengen country or EU-wide regulations. For example, the Austrian visa application in London links to a GDPR statement(?) and the application form. Both cover what happens with the information provided by the applicant (stored here, accessed by these parties and officials), but I don't see how any of them legally allow the hotel to disclose information to the embassy.