Unless it's necessary. The legitimate interests basis of the GDPR allows you to make a balanced decision of your business requirements against user privacy expectations.
yes, and you have to line out how the processing is necessary for providing the service, there has to be no less-intrusive method of achieving the desired result and be ready to prove it.
hint, user-level analytics rarely is. And in this specific example, repurposing logs kept for one purpose(ex, security/auditing) to user analytics is definitely not something you can just do
hint, user-level analytics rarely is. And in this specific example, repurposing logs kept for one purpose(ex, security/auditing) to user analytics is definitely not something you can just do