(47) The legal basis for the processing may be the legitimate interests of the controller, including the controller to whom the personal data may be disclosed, or of a third party, insofar as the interests or fundamental rights and freedoms of the data subject are not overridden in light of the reasonable expectations of the data subjects based on their relationship with the controller. Such a legitimate interest may exist, for example, in cases where there is a relevant and appropriate type of connection between the data subject and the controller, for example, where the data subject is a client of the controller or acts on behalf of the controller. In order to establish the existence of a legitimate interest, a thorough assessment would have to be made in each case, including an assessment of whether, at the time and in the context in which the personal data are collected, the data subject has a reasonable expectation that processing for that purpose may occur. The interests and fundamental rights of the data subject may override the interests of the data controller in particular in cases where personal data are processed in a situation in which the data subjects have no reasonable grounds to expect further processing. Since, for public authorities, the legal basis for processing personal data should be determined by the legislator, the controller's legitimate interest should not apply as a legal basis for the processing that public authorities carry out in the performance of their tasks. The legally legitimate interest of the controller concerned is also the processing of personal data absolutely necessary to prevent fraud. The processing of personal data for direct marketing purposes can be considered an activity performed in the legitimate interest.