Guidelines 02/2019 on processing of personal data under 6(1)(b) GDPR in the context of the provision of online services to data subjects
Section 3.2 Processing for ‘fraud prevention’
50. As WP29 has previously noted, processing for fraud prevention purposes may involve monitoring and profiling customers. In the view of the EDPB, such processing is likely to go beyond what is objectively necessary for the performance of a contract with a data subject. However, the processing of personal data strictly necessary for the purposes of preventing fraud may constitute a legitimate interest of the data controller and could thus be considered lawful, if the specific requirements of Article 6(1)(f) (legitimate interests) are met by the data controller. In addition Article 6 (1)(c) (legal obligation) could also provide a lawful basis for such processing of data.