Tis is not not ok, actually. I'm a software dev for a European company. I'm briefed by our lawyers.
"Legitimate use" isn't just a phrase from cookie law, it has a very specific meaning.
What's legitimate use? Well, any data I necessarily have to store for our business relation I can store. For as long as I need it. For example: You want me to send you something? Gonna need to store your address. After I sent the package I don't have any need for your address any more so I'd need your explicit consent to store it longer.
Another example for what is considered personal data: IP addresses. Which I store for as long as you watch my site, so that would be another example for a legitimate reason to store personal data.
Still I don't get why they display this banner. To my knowledge it's not necessary to inform the user about storage for legitimate reasons.
All that said, there's plenty of examples of companies illegitimately storing personal data, google is a good example they were sued only yesterday (fitbit)
It isn't. Just as declaring yourself a sovereign citizen isn't a loophole for whatever idiots claim it's a loophole for, declaring illegitimate use legitimate isn't a loophole.
Actual examples for legitimate use: Storing someone's address if he wants to send you something, using someone's IP-address to serve him data while he's on your site.... If it's necessary it's legitimate.
Deutsche Bahn is being sued right now just because of this, here's the initiative that is suing them: https://digitalcourage.de/
Send a few bucks their way instead of spreading false information on the Internet.