What we did was basically ignore GDPR and send a mail to our watchdog about the points we weren't sure would pass as legitimate use.
Basically: if you in good faith think it's legitimate, it's probably legitimate. The watchdog will propose you ways to remove PII from your data if he think you're misguided, and they drafted us an architecture that worked for data protection (like half a day of work for an architect, i think they already have these kind of drafts as our issue was quite common). We spent 20 minutes to write the email and basically earned 500$ (or whatever is the cost of half a day of an architect is). We also had prior contact with the watchdogs for unrelated reasons (trying to get certified to handle sensitive data).
Basically: if you in good faith think it's legitimate, it's probably legitimate. The watchdog will propose you ways to remove PII from your data if he think you're misguided, and they drafted us an architecture that worked for data protection (like half a day of work for an architect, i think they already have these kind of drafts as our issue was quite common). We spent 20 minutes to write the email and basically earned 500$ (or whatever is the cost of half a day of an architect is). We also had prior contact with the watchdogs for unrelated reasons (trying to get certified to handle sensitive data).