Article 5 of the GDPR states that data processing must have a legitimate purpose.
Legitimacy is part of a broader framework than the 6 legal bases for processing personal data.
The legitimacy of the processing is understood as compliance with the rules applicable in the context of the processing.
In fact, the purpose of processing must not only comply with the rules of the GDPR, but also with the other rules covering the activity carried out by the processing (in particular, employment law, contract law, consumer law).
These rules may come from different sources: decree, law, international standards, custom, case law, etc.
For example, processing whose purpose is to give discounts to customers with a "coloured" sounding name and to charge more to customers with an Asian sounding name cannot be legitimate. In fact, the processing leads to discrimination, the prohibition of which, although not provided for by the GDPR, is contrary to fundamental rights.