On this page: consent, consent form, informed consent form, legal basis
Date of last review: 2023-10-02
Of the 6 possible legal bases to process personal data, consent is currently the one most often used in research, although it may not always be the most appropriate one. With the term consent, we mean the process of data subjects deciding whether or not to agree to specific statements, such as a statement to collect and analyse their data to answer the research question.
The term “consent” is used both in the GDPR as well as in an ethical context:
- In the GDPR, consent can be a legal basis, where data subjects give consent to process their personal data (e.g., “I consent to my data a, b, c being used for purpose x, y, z”). Instead of this “GDPR consent”, you can often also use another legal basis to process personal data in your research, such as public interest.
- In the GDPR, consent can also be a way to lift the ban on processing special categories of personal data. Importantly, in some cases, you should use consent to allow the use of special categories of personal data, but still use public interest as the main legal basis in your research project.
- In an ethical context, informed consent is a safeguard to make sure that data subjects participate voluntarily in the research project (e.g., “I have read the information and agree to participate under the conditions described”). This type of informed consent is required in most types of research involving humans, irrespective of which legal basis is used.
Even if consent is not the legal basis, you may still need to ask consent for processing special categories of personal data, or to ascertain voluntary participation in your study. All requirements outlined below concern consent as meant by the GDPR.
- Determine if consent is the legal basis you need
Consent is not the only legal basis suitable for scientific research. In many cases, public interest is very suitable as well (sometimes more suitable) in a research context.
- Consider if you meet all requirements for consent
If you need to use consent as a legal basis, consider if you meet all requirements listed below. If you do not, consent is not a valid legal basis, and you should consider another one.
- Determine what you will ask consent for
Determine what specifically you are asking consent for. If you cannot determine a specific purpose, for instance because your research question is not yet entirely clear, contact your privacy officer to consider obtaining broad consent.
- Prepare information for data subjects
Prepare a privacy notice or information letter for data subjects to inform them before asking for their consent.
- Obtain demonstrable consent
Different forms of consent are valid. Note that often a signature is not required.
- Keep the consent forms available
Treat the consent declarations as personal data: store them securely, separately from the research data, and for as long as your research data contain personal data.
Consent is mostly suitable for scientific research for which the legal basis of public interest is not suitable, such as research in which:
special categories of personal data form the core data in the dataset.In that case, explicit consent is often needed in order to overcome the ban on using these types of personal data. When the dataset is rendered useless when stripping it of the special categories, consent is likely the best legal basis. However, when the special categories are easy to strip from the dataset, leaving a perfectly reusable dataset with “regular” personal data, public interest could still be used as a legal basis, leaving consent to only be the way to lift the ban of using special categories of personal data.
it is important to give data subjects a maximum amount of control over their personal dataThis can be an ethical requirement, but sometimes the possibility of providing (and withdrawing) consent can also be an additional reason for data subjects to participate. It can tip the balance.
agreements with data subjects need to be registered anywaysFor example for the use and storage of audio or video recordings. It could then make more sense to use consent for all processing activities. This especially applies if you want to use the audio and video recordings for broader purposes than just answering your research question, such as use during lectures or conferences, placement on a website or in an archive, etc.
personal data are collected to be (re)used for purposes other than scientific researchReuse for non-scientific purposes would need its own (new) legal basis, such as consent or legitimate interest.
personal data are transferred to a country outside of the European Economic Area (EEA)Consent may be required when data are transferred to a third country, which does not have an adequate level of data protection, and no extra protection measures are available or possible. Please contact your privacy officer to assess whether this situation applies to you.
Freely givenData subjects should have an actual voluntary choice and should not experience negative consequences if they don’t consent or withdraw their consent. Moreover, they should not be pressured to provide consent, and so there cannot be a power imbalance between the controller (e.g., researcher) and data subjects (rec. 43).
- Consent is not a valid legal basis when the researcher is also a teacher and asks their students to participate, who depend on the teacher for a good grade.
- Consent is not a valid legal basis when a research director investigates the employees of their own faculty.
Consent can still be used for children and persons legally incapable to provide consent when their legal representative(s) provide the consent.
SpecificData subjects should know as specifically as possible what they are asked to consent to. Separate processing purposes therefore require explicitly separate consent (rec. 32, rec. 43), and accompanying specific information that will allow the data subjects to decide if they consent or not. If consents for multiple purposes are necessary for your research, you can combine those.
- Combined consent may be possible to collect, store, analyse, and share personal data with your collaborators – all actions are needed to answer your research question.
- Separate consent is needed for conducting a survey vs. for conducting a subsequent interview, if participation in that interview is not required for your research project.
- Separate consent is needed for the current research project vs. for contacting data subjects for future research projects.
- Separate consent is needed to use personal data to answer a research question vs. to link different sources of data together to do so (Code of Conduct Dutch Health Research, 2022.
- New consent is needed to make the personal data available for reuse to a specific party for a specific purpose (describe the conditions under which this will be allowed).
InformedData subjects need to be clearly and accessibly informed about which personal data are processed and why, and about their rights (see Information to data subjects). Data subjects should be able to access this information easily (also after they have provided consent).
Unambiguous and affirmative
It should be clear what data subjects are providing consent for, using a clear, affirmative statement. Importantly, “silence, pre-ticked boxes or inactivity” do not constitute valid consent (rec. 32): consent should be active.
RetractableData subjects have the right to withdraw their consent, meaning their personal data cannot be used for the research purpose anymore and have to be removed where possible. Withdrawing consent should be as easy as providing consent. It is important to make the distinction with the right to stop participating at any time (usually an ethical obligation), because the latter implies that the data collected up until that point can still be used for the research project.
The way you obtain consent may differ per research project and can depend on how you interact with your data subjects. The only requirement is that it should be demonstrable and registered in a reliable manner. Some examples:
- Ticking a box (not pre-ticked!)
- Writing or replying to an email (“I agree to be interviewed”)
- Filling in an electronic form
- Audio- or video-recorded consent (separate it from the research data!)
- Signing a paper document (not usually necessary)
Signatures in consent forms are rarely needed. In fact, if you are only processing pseudonymised research data, you will only collect unnecessary personal data by obtaining a signature (art. 11), and a checkbox should be sufficient. In order to link the consent form with the data subject, you should include the pseudonym on the consent form (the identifier you will use for the participant, e.g., “part-001”). Inform your participants of this pseudonym; they can use it to exercise their rights under the GDPR, such as for withdrawing their consent.
Only when the identity of the data subjects will be used in the process (e.g., clinical trials), a signature may make sense or be required. For example, if your research is subject to the Dutch Medical Research Involving Human Subjects Act (WMO), different requirements may apply.
As long as you process personal data, you should be able to demonstrate that the data subjects consented to that processing (rec. 42). So as long as you analyse, use, store, archive, etc. the personal data, the proof of consent needs to be retained. It is preferable to store the proofs separately from the research data. If you collected consent on paper, it is best practice to scan the consent forms and securely delete the paper version after having made sure the scanning went well. Only after there is no personal data anymore (e.g., after fully anonymising the dataset), you can remove the proof of consent.
In research, it can sometimes be difficult to formulate very specific research questions in advance. In this case, you may be able to formulate the research purposes on a more general level and obtain consent for these more general purposes (EDPS, 2020; Deutsche Datenschutzkonferenz, 2019). However, you can do this only as long as:
- data subjects can give consent to only part of the research and easily withdraw consent (rec. 33).
- data subjects are kept informed as specifically as possible about what will happen to their personal data. As soon as you know more, you should also inform data subjects in more detail. Your use of the personal data should fall within the line of expectation from data subjects.
- you use additional protection measures, for example:
- obtain ethical approval for using the data for new research questions.
- offer a consent withdrawal possibility before using the data for new research questions. This is especially relevant when it is still possible to reliably identify data subjects in the dataset.
- make sure the data are not transferred to countries outside of the EEA, unless one of the derogations from GDPR Chapter V applies (e.g., adequacy decision, standard contractual clauses, explicit consent for transfer).
- enforce specific requirements for access the data, e.g., “research in general” is not a sufficiently specific purpose for reuse of the personal data.
- you document your considerations and ask for help from a privacy officer.
Broad consent under the GDPR needs to be distinguished from “General consent” as defined by the Dutch Code of Conduct for health researchers, that is: for medical research, different requirements may (additionally) apply.
Note that all examples below assume that they are preceded by sufficiently specified information.