4 provisions in the recitals provide that for data processing based on legitimate interests and for further processing, the reasonable expectations of the data subject are also relevant:
Rec. 47 (1): „The legitimate interests of a controller […] or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.“
Rec. 47 (3): “At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.”
Rec. 47 (4): “The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.”
Rec. 50 (6): “In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: […] the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; […].”
The legal concept of "reasonable expectations" originated in US case law. It has been used in a modified form in the legal culture of some EU member states and in the case law of the ECtHR. The old version of the German Data Protection Act contained notification obligations insofar as the data subject did not "have to expect" specific processing "under the circumstances of the individual case".
The "reasonable expectations" are one balancing criterion that takes its place alongside other criteria [see Tile ...].
It is unclear to what extent the term "reasonable expectations" includes subjective-individual sensitivities or even misconceptions of the data subject or to what extent an objectifiable understanding of reasonable expectations of the data subject is decisive. The term is sometimes interpreted to mean that the controller cannot invoke his legitimate interest at all if he has not even considered the expectations of the data subject (Robrahn/Bremert).
Correctly, one will have to start from a mixed subjective-objective standard. The subjective expectation of the data subject, who is not trained in legal matters, is flanked by the "knowledge of the general public". In the case of processing that is considered to be common knowledge, higher requirements will regularly have to be placed on a justified expectation of privacy (Schulz, in: Gola).