Consent is one of the trickiest parts of the GDPR. Especially in practice when you start looking at it from a perspective of specific personal data processing activities whereby consent turns out to be the only or most appropriate legal basis for the lawful processing of personal data.
For consent to be informed and specific, the data subject (e.g. your customer or your employee) must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations as a safeguard against ‘function creep’. The data subject must also be informed about his or her right to withdraw consent anytime. The withdrawal must be as easy as giving consent.
The consent must be bound to one or several specified purposes which must then be sufficiently explained. If the consent should legitimize the processing of special categories of personal data, the information for the data subject must expressly refer to this.
GDPR Article 7 sums up the essential conditions regarding consent (to be valid). In a nutshell:
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.