Consent

On this page: consent, consent form, informed consent form, legal basis
Date of last review: 2023-10-02

Of the 6 possible legal bases to process personal data, consent is currently the one most often used in research, although it may not always be the most appropriate one. With the term consent, we mean the process of data subjects deciding whether or not to agree to specific statements, such as a statement to collect and analyse their data to answer the research question.

Different types of consent

The term “consent” is used both in the GDPR as well as in an ethical context:

• In the GDPR, consent can be a legal basis, where data subjects give consent to process their personal data (e.g., “I consent to my data a, b, c being used for purpose x, y, z”). Instead of this “GDPR consent”, you can often also use another legal basis to process personal data in your research, such as public interest.
• In the GDPR, consent can also be a way to lift the ban on processing special categories of personal data. Importantly, in some cases, you should use consent to allow the use of special categories of personal data, but still use public interest as the main legal basis in your research project.
• In an ethical context, informed consent is a safeguard to make sure that data subjects participate voluntarily in the research project (e.g., “I have read the information and agree to participate under the conditions described”). This type of informed consent is required in most types of research involving humans, irrespective of which legal basis is used.

Even if consent is not the legal basis, you may still need to ask consent for processing special categories of personal data, or to ascertain voluntary participation in your study. All requirements outlined below concern consent as meant by the GDPR.

Consent step-by-step

1. Determine if consent is the legal basis you need
   Consent is not the only legal basis suitable for scientific research. In many cases, public interest is very suitable as well (sometimes more suitable) in a research context.
   
   
2. Consider if you meet all requirements for consent
   If you need to use consent as a legal basis, consider if you meet all requirements listed below. If you do not, consent is not a valid legal basis, and you should consider another one.
   
   
3. Determine what you will ask consent for
   Determine what specifically you are asking consent for. If you cannot determine a specific purpose, for instance because your research question is not yet entirely clear, contact your privacy officer to consider obtaining broad consent.
   
   
4. Prepare information for data subjects
   Prepare a privacy notice or information letter for data subjects to inform them before asking for their consent.
   
   
5. Obtain demonstrable consent
   Different forms of consent are valid. Note that often a signature is not required.
   
   
6. Keep the consent forms available
   Treat the consent declarations as personal data: store them securely, separately from the research data, and for as long as your research data contain personal data.

When to use consent as a legal basis?

Consent is mostly suitable for scientific research for which the legal basis of public interest is not suitable, such as research in which:

• special categories of personal data form the core data in the dataset.

  In that case, explicit consent is often needed in order to overcome the ban on using these types of personal data. When the dataset is rendered useless when stripping it of the special categories, consent is likely the best legal basis. However, when the special categories are easy to strip from the dataset, leaving a perfectly reusable dataset with “regular” personal data, public interest could still be used as a legal basis, leaving consent to only be the way to lift the ban of using special categories of personal data.
• it is important to give data subjects a maximum amount of control over their personal data

  This can be an ethical requirement, but sometimes the possibility of providing (and withdrawing) consent can also be an additional reason for data subjects to participate. It can tip the balance.
• arrangements with data subjects need to be registered anyways

  For example for the use of private material (like diaries; you need consent from a copyright perspective) and for the production and publication of audio or video recordings (portrait rights). It could then make more sense to use consent for all processing activities. This is because consent is required anyways if you want to use video or audio recordings for broader purposes than scientific research purposes, such as playback during lectures or conferences, placement on a website, transfer to a national archive, etc.

• personal data are collected to be (re)used for purposes other than scientific research

  Reuse for non-scientific purposes would need its own (new) legal basis, such as consent or legitimate interest.
• personal data are transferred to a country outside of the European Economic Area (EEA)

  Consent may be required when data are transferred to a third country, which does not have an adequate level of data protection, and no extra protection measures are available or possible. Please contact your privacy officer to assess whether this situation applies to you.

Requirements for valid consent

Under the GDPR, consent is only valid when it is all of the below (art. 4, art. 7, rec. 32, rec. 42, rec. 43; click to expand):

• Freely given

  Data subjects should have an actual voluntary choice and should not experience negative consequences if they don’t consent or withdraw their consent. Moreover, they should not be pressured to provide consent, and so there cannot be a power imbalance between the controller (e.g., researcher) and data subjects (rec. 43).
  
  Some examples:

  • Consent is not a valid legal basis when the researcher is also a teacher and asks their students to participate, who depend on the teacher for a good grade.
  • Consent is not a valid legal basis when a research director investigates the employees of their own faculty.

  Consent can still be used for children and persons legally incapable to provide consent when their legal representative(s) provide the consent.

• Specific

  Data subjects should know as specifically as possible what they are asked to consent to. Separate processing purposes therefore require explicitly separate consent (rec. 32, rec. 43), and accompanying specific information that will allow the data subjects to decide if they consent or not. If consents for multiple purposes are necessary for your research, you can combine those.
  
  Some examples:

  • Combined consent may be possible to collect, store, analyse, and share personal data with your collaborators – all actions are needed to answer your research question.
  • Separate consent is needed for conducting a survey vs. for conducting a subsequent interview, if participation in that interview is not required for your research project.
  • Separate consent is needed for the current research project vs. for contacting data subjects for future research projects.
  • Separate consent is needed to use personal data to answer a research question vs. to link different sources of data together to do so (Code of Conduct Dutch Health Research, 2022.
  • New consent is needed to make the personal data available for reuse to a specific party for a specific purpose (describe the conditions under which this will be allowed).
• Informed

  Data subjects need to be clearly and accessibly informed about which personal data are processed and why, and about their rights (see Information to data subjects). Data subjects should be able to access this information easily (also after they have provided consent).
• Unambiguous and affirmative

  It should be clear what data subjects are providing consent for, using a clear, affirmative statement. Importantly, “silence, pre-ticked boxes or inactivity” do not constitute valid consent (rec. 32): consent should be active.

• Retractable

  Data subjects have the right to withdraw their consent, meaning their personal data cannot be used for the research purpose anymore and have to be removed where possible. Withdrawing consent should be as easy as providing consent. It is important to make the distinction with the right to stop participating at any time (usually an ethical obligation), because the latter implies that the data collected up until that point can still be used for the research project.

What forms of consent are valid?

The way you obtain consent may differ per research project and can depend on how you interact with your data subjects. The only requirement is that it should be demonstrable and registered in a reliable manner. Some examples:

• Ticking a box (not pre-ticked!)
• Writing or replying to an email (“I agree to be interviewed”)
• Filling in an electronic form
• Audio- or video-recorded consent (separate it from the research data!)
• Signing a paper document (not usually necessary)

To sign or not to sign?

Signatures in consent forms are rarely needed. In fact, if you are only processing pseudonymised research data, you will only collect unnecessary personal data by obtaining a signature (art. 11), and a checkbox should be sufficient. In order to link the consent form with the data subject, you should include the pseudonym on the consent form (the identifier you will use for the participant, e.g., “part-001”). Inform your participants of this pseudonym; they can use it to exercise their rights under the GDPR, such as for withdrawing their consent.

Only when the identity of the data subjects will be used in the process (e.g., clinical trials), a signature may make sense or be required. For example, if your research is subject to the Dutch Medical Research Involving Human Subjects Act (WMO), different requirements may apply.

Demonstrating (valid) consent

As long as you process personal data, you should be able to demonstrate that the data subjects consented to that processing (rec. 42). So as long as you analyse, use, store, archive, etc. the personal data, the proof of consent needs to be retained. It is preferable to store the proofs separately from the research data. If you collected consent on paper, it is best practice to scan the consent forms and securely delete the paper version after having made sure the scanning went well. Only after there is no personal data anymore (e.g., after fully anonymising the dataset), you can remove the proof of consent.

Broad consent in research

In research, it can sometimes be difficult to formulate very specific research questions in advance. In this case, you may be able to formulate the research purposes on a more general level and obtain consent for these more general purposes (EDPS, 2020; Deutsche Datenschutzkonferenz, 2019). However, you can do this only as long as:

• data subjects can give consent to only part of the research and easily withdraw consent (rec. 33).
• data subjects are kept informed as specifically as possible about what will happen to their personal data. As soon as you know more, you should also inform data subjects in more detail. Your use of the personal data should fall within the line of expectation from data subjects.
• you use additional protection measures, for example:
  • obtain ethical approval for using the data for new research questions.
  • offer a consent withdrawal possibility before using the data for new research questions. This is especially relevant when it is still possible to reliably identify data subjects in the dataset.
  • make sure the data are not transferred to countries outside of the EEA, unless one of the derogations from GDPR Chapter V applies (e.g., adequacy decision, standard contractual clauses, explicit consent for transfer).
  • enforce specific requirements for access the data, e.g., “research in general” is not a sufficiently specific purpose for reuse of the personal data.
• you document your considerations and ask for help from a privacy officer.

Broad consent under the GDPR needs to be distinguished from “General consent” as defined by the Dutch Code of Conduct for health researchers, that is: for medical research, different requirements may (additionally) apply.

Examples and templates

Note that all examples below assume that they are preceded by sufficiently specified information.

Example sentences

Good example sentences:

• “I consent to the collection and use of my personal data to answer the research question described in the information letter.”
• “I consent to linking the new research data to data previously collected about me in this research project.”
• “I agree that research data gathered for the study may be published or made available provided my name or other identifying information is not used.”
• “I understand that the research data, without any personal information that could identify me (not linked to me) may be shared with other researchers.”

Bad example sentences:

• “Any information I give will be used for this research project only and will not be used for any other purpose”: this restricts all future uses of the data, including sharing the data with your collaborators, performing analyses for new research questions, and sharing the data for reuse. It’s preferred to tell data subjects how their data can be safely used in different ways.
• “I do not give consent to share my data”: this sentence is ambiguous and may confuse data subjects.
• “I acknowledge that the personal data collected by the researcher belongs to the university and that I have no rights in the research performed on it”: it is not allowed to deny data subjects all their data subjects’ rights.

---

Data Privacy Handbook

The information presented here is provided as is, with no guarantees of accuracy or completeness. For the most up-to-date information, please refer to your privacy officer, the university website or intranet. We cannot be held responsible for any negative consequences due to incorrect interpretation or use, and inconsistencies with policies/views of other institutions.

💡 Give feedback about this page | Privacy policy | Cite the Data Privacy Handbook