For data processing to be lawful under the GDPR, organizations must establish a valid legal basis, with consent and legitimate interest being two of the most frequently invoked grounds . Consent must be a freely given, specific, informed, and unambiguous indication of the individual’s wishes, signified by a clear affirmative action. It is a cornerstone of data protection, ensuring that individuals have control over how their personal information is used. However, the concept of “legitimate interest” provides a different pathway, allowing organizations to process data when it is necessary for their legitimate business interests, provided these interests are not overridden by the fundamental rights and freedoms of the data subject . This basis requires a careful balancing test and is subject to the individual’s right to object. The European Data Protection Board has provided guidance on when this basis can be appropriately used, such as for developing AI models .