freehorse 10 days ago

If it is based on legitimate interest, under gdpr you don't.

Reply View 5 replies
  • layer8 10 days ago

    You are required to inform the affected users, however.

    Reply View 0 replies
  • aforwardslash 10 days ago

    Legitimate interest of the user, not yours. Rule of thumb, if its not a legal requirement, you need consent.

    Reply View 3 replies
    • d1sxeyes 9 days ago

      That’s not true. From the law as written:

      > legitimate interests pursued by the controller or by a third party

      There are six lawful bases for processing, consent is only one of them.

      Reply View 2 replies
      • aforwardslash 9 days ago

        "legitimate interests" are subject to interpretation on purpose; either legitimate interests on a given instance are lawful, or you're better off relying on consent, since your interpretation and the regulator's interpretation may be different. Check page 7 of https://www.edpb.europa.eu/system/files/2024-10/edpb_guideli...

        Reply View 1 reply
        • d1sxeyes 3 days ago

          What's 'legitimate' and what isn't is up for interpretation, but the question of whose interests is clear in the text of the GDPR itself, and it's the controller's (or a third party's) interests which could form the basis of lawful processing.

          Interestingly, the GDPR specifically does not include 'benevolent' processing (i.e. processing for legitimate interests of the user) as a lawful basis.

          Reply View 0 replies