Personal data may only be processed under strict conditions. In addition to other requirements, the consent of the person concerned is required. Yet, if the controller can invoke its own legitimate interest or that of a third party, consent is no longer required for data processing.
However, the term “legitimate interest” is currently still an undefined legal concept that can only be further defined in court proceedings. Legitimate interests for data processing can be, for example, to prevent fraud or misuse of data. It is also conceivable, though, that companies may try to say, for example, that customer acquisition or customer retention are their legitimate interests and use this as a justification to send out advertising, even if data subjects have not consented to the processing for this purpose.
If data are processed on the basis of a legitimate interest, these interests need to be weighed against the interests of the data subject.
Article 6(1) GDPR (Lawfulness of processing)
Processing shall be lawful only if and to the extent that at least one of the following applies:
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
Source: Regulation (EU) 2016/679 (see also recital 47)