[jefftk]

> Monitoring of traffic for a website owner is inarguably legitimate interest if even just for DOS protection.

Even in cases where the GDPR allows data collection for one purpose, that does not mean you can apply your collected data or analysis for a different purpose.

[lucideer]

IANAL but I don't think that's what's happening here: the gp was referring to circulation figures. DOS-protective measures need insight on individual bad actors but only derived aggregate figures are needed for circulation. That's not something covered by GDPR in any way - it's extremely explicit in defining what types of data points relating to "natural persons" it covers.

[jefftk]

I think what you're proposing is:

1. Collect data for DOS-prevention purposes.

2. Analyze it afterwards in aggregate for advertising purposes.

Except you can't do #2 without turning #1 into "collect data for DOS-prevention and advertising purposes", which goes beyond your legitimate interest in collecting the data.

I agree that #2 should be allowed if you'd do #1 anyway, but this isn't how the GDPR works.