> because, well, otherwise they can't deliver the pizza.
This is covered by one of the five other GDPR principles for lawfully processing data ("to fulfil contractual obligations..."), so it wouldn't be considered a legitimate interest.
An example of legitimate interest would be the Pizza Place keeping your address on their phone system, so that when you call from the same number on a future date, they can confirm your address without having to ask for it again.
It can also be for advertising. It's very unclear where the line is: of course Facebook has an interest in tracking you, it legitimately makes them money. Afaik that's what this purpose is for. But it should also be weighed how reasonable versus invasive it is. The data protection authorities are clear on how they see it (namely as mostly a dummy clause that rarely lets you do anything) but it has yet to be seen how this holds up in court.
The attitude of the UK's ICO seems to be quite lax - it gives as an example "you do not want to give the individual full upfront control (ie consent)" with the implication that if you don't want to ask for consent, it's a legitimate interest.
I expect the first point of divergence between UK GDPR and EU GDPR might be here (since they are now separate), in how 'legitimate interest' is interpreted in the law.
This is covered by one of the five other GDPR principles for lawfully processing data ("to fulfil contractual obligations..."), so it wouldn't be considered a legitimate interest.
An example of legitimate interest would be the Pizza Place keeping your address on their phone system, so that when you call from the same number on a future date, they can confirm your address without having to ask for it again.