Re: Go to the organ grinder..
"Direct marketing is specifically called out in the GDPR as a legitimate interest..."
No it isn't the only place is in recital 47. Although that states The
processing of personal data for direct marketing purposes may be regarded as carried out
for a legitimate interest. The key is the 'may' bit which has been discussed ad infinitum on various channels. The consensus is that this only applies if it would not have been possible to get explicit consent at that time and definitely does not apply to a second level recipient of that data.
The whole point of explicit consent was to allow the data subject to decide what their data could be used for. If a company was allowed to override this just by saying it was in their interest then this would negate the need for explicit consent in nearly every case.
Quite a good break down of it is here: https://www.gdpreu.org/the-regulation/key-concepts/legitimate-interest/
"Therefore, marketing and sales organizations would be ill advised to skip consent collection and instead rely on legitimate interests to justify, for example, tracking prospects’ online behavior based on site visits, email engagement, IP address location tracking, etc. to show behavioral ads or create sales lead scores.
For those insisting on the possibility of a blanket, categorical affirmative interpretation of this last sentence as absolving all direct marketers of the need to ever obtain consent, Recital 70 firms rejects this possibility:
(70) Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
It is therefore unambiguous that direct marketers must obtain consent as a rule, unless they are able to prove legitimate interest in particular cases where data subjects reasonably expect such data processing to take place, as per outlined in Recital 47."
Finally you mention the ePD but that is not the UK law. The UK law is PECR 2003 (latest amendment 2016)which was putting the ePD into UK law.
There is no grounds for you to apply for a financial service and end up having marketing sent to you from a third party company due to your inclusion on credit reference agency file without your explicit and unambiguous consent.