@kuba
Examples (multiple because I expect the answer might differ):
a) "we don't serve these people" in a butcher shop
b) "these people cannot attend our performances" in a theatre,
c) "these people cannot buy anything from us" for an online retailer.

(Motivation for the question is https://www.nbcnewyork.com/investigations/face-recognition-tech-gets-girl-scout-mom-booted-from-rockettes-show-due-to-her-employer/4004677/)

@robryk tough question. I suspect there's no general answer. I guess it depends mostly on the purpose of such blocklist and it's proportionality to the importance of that purpose.

@kuba WDYM by purpose? Isn't purpose in all cases "nor serving a person we desire not to serve"?

@robryk uh, maybe I'm mixing purposes with legitimate interest here. Legitimate intrerest has to be more abstract, like "ensure physical safety of our staff" or "make sure our clients feel safe" or stuff like that. If they're processing facial recognition results without consent, they have to have a legitimate intetest.

@robryk But just stating that you have a legitimate interest isn't enough. You have to do a "balance test" between the importance of your interest and rights and freedoms of data subjects.

@kuba I'm wondering about the case of processing someone's name or photo (that's shown to staff), because e.g. this fellow is too troublesome to serve. (Does gdpr make this qualitatively different from doing face recognition to do the same thing automatically?)