Yes and no. One of the most important principles in GDPR is “purpose limitation” (Article 5.1b):
“Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes“
If a company starts collecting IP addresses for DDoS protection purposes, and then figures out that the data could also be used for marketing - that is most certainly in violation with this principle and therefor forbidden.
A “lawful basis” for the marketing purpose will not save you from this principle.
This is also where the public privacy policy/notice plays a role - for the company to be able to prove that the IP addresses where also originally collected for marketing purposes and fair information was given about this purpose at the point of collection.
In terms of GDPR’s territorial scope I guess at the point in time you start to use the DDoS prevention IP logs for profiling you come into GDPR scope. You would also be immediately be in violation of the purpose limitation principle if it is for marketing purposes.
> If a company starts collecting IP addresses for DDoS protection purposes, and then figures out that the data could also be used for marketing ...
Charitably, I think your sentence is just unclear. It seems much more reasonable that someone just thinking or realizing "that the data could also be used for marketing" isn't legally prohibited. Right?
Someone would actually need to use the data, in some concrete specific way, for something illegal to have taken place.
“Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes“
If a company starts collecting IP addresses for DDoS protection purposes, and then figures out that the data could also be used for marketing - that is most certainly in violation with this principle and therefor forbidden.
A “lawful basis” for the marketing purpose will not save you from this principle.
This is also where the public privacy policy/notice plays a role - for the company to be able to prove that the IP addresses where also originally collected for marketing purposes and fair information was given about this purpose at the point of collection.
In terms of GDPR’s territorial scope I guess at the point in time you start to use the DDoS prevention IP logs for profiling you come into GDPR scope. You would also be immediately be in violation of the purpose limitation principle if it is for marketing purposes.