Mobile ecosystem issues aside, IRMA looks excellent. Could IRMA's decentralization and selective disclosure features somehow be combined with OpenID? For example, could the IRMA application serve as a standalone OpenID provider, perhaps using OpenID Connect Federation to establish trust? [0]
Warning: The privacy notice template on this site (https://gdpr.eu/privacy-notice/) omits basic mandatory elements (e.g. retention periods, right to lodge a complaint). The template's section on cookies is insufficient and misleading. Cookies are regulated by a different law (the ePrivacy Directive) and their explanation does not go into these rules at all.
The legitimate interest has been around for a while. It was also a legal basis to process personal data under the 1995 Data Protection Directive which the GDPR replaced. If you are interested in learning more about the notion of legitimate interest and balancing it against the interests of individuals, there is a 2014 opinion from the body of EU data protection regulators that explains the concept with a number of examples. [1]
> If a company sells something online they only really need your address & name for delivery + credit card details.
That would likely be "necessary for the performance of a contract" which is also a legal basis to process personal data. [2]
> I know of multiple companies where they prior to GDPR asked for explicit concent during signup for being allowed to send newsletters, but who post-GDPR dropped the concent and use 'Legitimate intrests' to justify it. Basically leaving the individual worse off.
That could be a violation of the ePrivacy Directive which provides that email marketing requires consent. [3]
In addition to the GDPR concerns mentioned in sibling posts, this type of collection is likely covered by Article 5.3 of the EU ePrivacy Directive, which requires consent for storing or reading information from end-users' devices (also known as the "cookie rule").[0] The Dutch Data Protection Authority recently applied this rule to Microsoft's collection of telemetry data through Windows 10.[1] Notably, this rule is not limited to personal data; it applies to all "information."
[0] https://openid.net/specs/openid-connect-federation-1_0.html