Processing without consent doesn't work for multiple parties.
You can't claim that because you need to provide service for someone else you need to process data of non-users.
The users of which you collect data is required to be part of the service or contract to fulfill unless you have a damn good reason not to and "we need to provide this service because we go belly up otherwise" won't fly, IMO. A legitimate interest would be stuff like "we will make backups of our data, ensuring that deletion requests are carried out upon restore, to continue providing service in case of disaster" or "we will log your IP temporarily because we need to provide essential network and information security"
You can't claim that because you need to provide service for someone else you need to process data of non-users.
The users of which you collect data is required to be part of the service or contract to fulfill unless you have a damn good reason not to and "we need to provide this service because we go belly up otherwise" won't fly, IMO. A legitimate interest would be stuff like "we will make backups of our data, ensuring that deletion requests are carried out upon restore, to continue providing service in case of disaster" or "we will log your IP temporarily because we need to provide essential network and information security"
[Laid out in https://gdpr-info.eu/recitals/no-40/]