It seems like if it's just a phone number, then no. Because knowing only the number, it is impossible to uniquely identify a person. If, in addition to the number, some other information is stored, name, passport data, then yes - a violation.
PS but this is not accurate =)

what if the phone is personal data

Purely interesting, but if a person voluntarily uploads his data. For example, filling out your profile on github or SO

IF it applies, then yes, you understand correctly.
But the bottom line is that he is not one of them. There are different positions for different specialists, of course. But we are now proceeding from the fact that having only the knowledge of a telephone number, an ordinary person cannot establish the identity of anyone. According to the Agreement with the OPSOS, the number generally belongs to him (although I am not aware of the subtlety of this moment in connection with the transition to another operator).
Now for the second part of the question. All discrepancies arise from attempts to make a cocktail of warm and soft at the state level. The state considers its citizens as a kind of liability and is stubbornly convinced that the data on this liability belong to the state itself (please do not go into the subtleties of terms here and below. Of course, the personal data themselves belong to the Person and no one denies this. The question is that the shield, called for protection, used as a barrier). Hence, incidents arise when a person (Person, owner of PD) allegedly loses the right to dispose of his own data, entrusting operations with them to someone who is not included in the Register.