GDPR States, Direct Marketing May Be a Legitimate Interest

Direct Marketing is mentioned a few times in the GDPR.

In Citation 47, the GDPR does state, ".. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. " [GDPR Citation 47]

Also referencing that the person being marketed to might be a customer.

".. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller." [GDPR Citation 47]

However, the person shall have the rights to object to the direct marketing, 

"Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information." [GDPR Citation 70]

Then Direct Marketing might have a Legitimate Interest, unless there are Special Categories of Personal Data collected, which is where Consent is required as the Lawful reason for processing.

".. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent.." [GDPR Citation 51], and as and exception to when special categories of personal data can be collected, "the data subject has given explicit consent to the processing of those personal data for one or more specified purposes,"  [GDPR Article 9, Paragraph 2(a)]

So, how does the special categories of personal data relate to direct marketing? It is connected in the descriptions. Special categories of personal data are described as;

"Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited." [GDPR Article 9, Paragraph 1]

The key words here are "biometric data".  Biometric data is defined in the GDPR as;

"‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;" [GDPR Article 4, paragarph (14)]

The key words here are "behavioral characteristics", which is tied here to tracking the activities of an individual on the Internet and Profiling.

".. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes." [GDPR Citation 24]

Further, the process of biometric data also triggers the requirement for a Data Protection Impact Assessment.

"A data protection impact assessment should also be made where personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special categories of personal data, biometric data.."[GDPR Citation 91]