European law requires that any purpose for processing data is supported by a valid legal ground to do so. There are six options:
|Permission (consent)||The most well known legal ground. You can give permission relatively easily: by clicking a button. Because it's so easy to give, European law has also made it easy to revoke. If a certain piece of data is processed for a certain purpose because you gave permission, then you can always go to that organisation and say you are revoking your permission (which should be as easy as giving it). If no other purposes and other legal grounds for processing the data remain, then it must be deleted (if legally possible).|
|Contract||This legal ground is a step up from giving permission. Two parties can enter into a contract, and then there must be a record of that contract. Usually a piece of paper with a signature. Dissolving a contract usually requires agreement between both sides that they want to dissolve it.|
|Legitimate interest||An organisation can claim they have a legitimate interest to process the data. This means they believe a court of law will agree that it's necessary to process the data, and that you would probably agree with this. Because it's legally not necessary to ask permission first, this legal ground is getting more popular online. This can be objected. It's easier to ask for forgiveness than permission.|
|Legal Obligation||Sometimes local law requires that data is processed. For example, when starting a job somewhere, your name and national ID number must be recorded.|
|Vital interest||In emergencies, sometimes your data must be processed in order to save lives - likely your life. This legal ground is mostly used by hospitals and doctors. It's relatively rare that it's used.|
|Public task||This legal ground is generally used by government agencies so that they can share data between them in order to fullfill their function in society. For example, the county that you live in must store records about you in order to issue and validate passports.|
Each purpose must be supported by a single legal ground. No more, no less. For example, imagine you're buying something online. You may have given your email address for two purposes. First, as part of a purchasing contract. But if you also selected the option to "sign up for emails about discounts", then this specific purpose could have a different legal ground: permission. This means you should be able to easily unsubscribe from the email list (revoking your permission). But in this case unsubscribing won't mean that your email address is deleted from the system, since it may need to remain because it's part of the contract.