layer8 10 days ago

You are required to inform the affected users, however.

Reply View 0 replies
aforwardslash 10 days ago

Legitimate interest of the user, not yours. Rule of thumb, if its not a legal requirement, you need consent.

Reply View 3 replies
  • d1sxeyes 10 days ago

    That’s not true. From the law as written:

    > legitimate interests pursued by the controller or by a third party

    There are six lawful bases for processing, consent is only one of them.

    Reply View 2 replies
    • aforwardslash 9 days ago

      "legitimate interests" are subject to interpretation on purpose; either legitimate interests on a given instance are lawful, or you're better off relying on consent, since your interpretation and the regulator's interpretation may be different. Check page 7 of https://www.edpb.europa.eu/system/files/2024-10/edpb_guideli...

      Reply View 1 reply
      • d1sxeyes 3 days ago

        What's 'legitimate' and what isn't is up for interpretation, but the question of whose interests is clear in the text of the GDPR itself, and it's the controller's (or a third party's) interests which could form the basis of lawful processing.

        Interestingly, the GDPR specifically does not include 'benevolent' processing (i.e. processing for legitimate interests of the user) as a lawful basis.

        Reply View 0 replies