Article doesn't clear much up but muddies it further.
If anyone is using this article for their own research then I would recommend a lot of extra reading. For instance
"This said, though, explicit consent isn't always required. According to Article 6 of GDPR processing, PII is legitimate (albeit with a couple of caveats) if: "processing is necessary for the purposes of the legitimate interests pursued by the controller". If you want to buy something from my online store it would be daft if I was obliged to ask you explicitly for permission to use your card number to take payment and your address to post you the goods."
However the legitimate interests is a sub section 6(1)(f) and states ...
“processing is necessary for the purposes of the legitimate
interests pursued by the controller or by a third party, except
where such interests are overridden by the interests or
fundamental rights and freedoms of the data subject which
require protection of personal data, in particular where the data
subject is a child.”
The caveats are key as anything as absolutely necessary to function (e.g. not marketing) would not be in the interests of the data subject. The data collected and processed would need to be the absolute minimum with a clear assessment of why data was included. This section also does not apply to public bodies.
The actual sub section for dealing with a shop customer is 6(1)(b)
" processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;"
Which covers the minimum needed to capture customer data to make a sale. This may well stop shops asking for your address when buying over the counter for instance - also it should stop shops in airports requiring your boarding pass when you aren't buying duty free goods.
There are some critical issues relating to the GDPR that may make significant changes to the way companies operate. WIth the ruling that IP addresses can be PII, this can affect everything from weblogs, analytics and intrusion detection systems. It may be hard to justify intrusion detection as a legitimate interest if you have never had an attack but have been merrily hoovering up IP addresses of everyone who visits your website. Also call centres would no longer be able to automatically record calls apart from some industries which may have a legal obligation. They will have to give the caller an option at the beginning of the call, which will have to be auditable.
Also remember the actual bill has not yet been published so we only know the minimum that will be in the bill not all the clauses it will contain.