This is one of the legal grounds (reasons) defined in the GDPR under which a data controller is allowed to process personal data.
What is a consent to personal data processing?
Consent is an affirmative action taken by data subject in order to express his or her will. The consent must be given voluntarily, that is to say that the data subject must not be compelled to do so.
- Consent is always given for a particular purpose of processing that the data subject must be aware of. The purpose of processing should be described in the records of data processing activities.
- Approval is revocable.
When the consent to data processing is needed?
When there is no other legal ground (reason) for lawful personal data processing that would not require the data subjects’ consent. Because consent is always related to a specific purpose for which personal data is processed, withdrawal of a consent applies only to specific personal data in a specific processing activity. Therefore, if the same data in involved in some other (meaning other than the one that the data subject wants to withdraw his or her consent to) lawful data processing activity, there is no need to erase it.
The WP29 has published Guidelines on Consent under Regulation 2016/679 - find the link attached.