[jen20]

Quite: far too many people equate the "consent" basis for holding data as the _only_ basis for holding data. It is not, and and compliance with other laws is also a valid reason which _cannot be overridden by withdrawal of consent_.

[PeterisP]

Sure, but if we're talking about data usage for marketing and targeted ads, then generally consent would be the only basis that can apply.

If you have a legitimate basis to collect and store personal data for some purpose X, then that doesn't allow you to use the data you collected and stored for anything else - if you want to use the same data for some other purpose (like targeting ads or given them to your "partners" to target ads), then you need consent; and if you give them to your "partners" to allegedly execute that legal need X but it turns out that they're using it to target ads or reselling data, then you're liable for that.

[Silhouette]

Sure, but if we're talking about data usage for marketing and targeted ads, then generally consent would be the only basis that can apply.

That's debatable. The GDPR itself explicitly notes [Recital 47] that even direct marketing can constitute a legitimate interest.

However, there are specific provisions for that case, particularly the explicit provision [Article 21, para 3] that if the data subject objects to processing for direct marketing purposes then that is black and white and that processing must be stopped.