I think it's an interesting question about the way the “business activities” exemption and the “legitimate interest” exemption can interact, along with the question of implied versus explicit consent. It's very difficult to answer this question in a few seconds.
Broadly speaking, if we are to allow organizations to decide whether or not it's in their legitimate interest, then at a minimum we need to enhance the accountability and transparency measures, so that it doesn't happen without the knowledge or consent of individuals, and there is a requirement for organizations to justify to the public why they believe this information is in their legitimate interest to collect, and how they're protecting it.