Consent is one of the trickiest parts of the GDPR. Especially in practice when you start looking at it from a perspective of specific personal data processing activities whereby consent turns out to be the only or most appropriate legal basis for the lawful processing of personal data.
For consent to be informed and specific, the data subject (e.g. your customer or your employee) must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations as a safeguard against ‘function creep’. The data subject must also be informed about his or her right to withdraw consent anytime. The withdrawal must be as easy as giving consent.
The consent must be bound to one or several specified purposes which must then be sufficiently explained. If the consent should legitimize the processing of special categories of personal data, the information for the data subject must expressly refer to this.
GDPR Article 7 sums up the essential conditions regarding consent (to be valid). In a nutshell: