• Intro
  • Data Privacy Handbook
    • How to use this Handbook
      • What are you looking for?
    • License and Citation
    • Disclaimer
    • Contributions
  • Privacy FAQs
    • General questions
    • Procedures and responsibilities
    • Informed consent
    • Legal questions
    • Storing personal data
    • Sharing, publishing and reusing personal data
    • Practical questions
    • Students and student data
    • Finding support
  • Knowledge Base
  • The GDPR
    • Chapter summary
    • What is the GDPR?
    • Definitions in the GDPR
    • Principles in the GDPR
    • Legal bases for working with personal data
      • Legal bases suitable for research
      • Legal bases not suitable for reseach
      • Further processing for research purposes
    • Data Subjects’ Rights
  • What are personal data?
    • Definition of personal data
    • How to assess whether data contain personal data?
    • Special types of personal data
      • Special categories of personal data
      • Data that are otherwise sensitive
  • Designing your project
    • Privacy by Design strategies
    • Data-oriented strategies
      • Minimise
      • Separate
      • Abstract
      • Hide
    • Process-oriented strategies
      • Inform
      • Control
      • Enforce
      • Demonstrate
  • Risk Assessment
    • How to assess privacy risks?
    • What are high-risk operations?
    • Classifying personal data
    • Examples of privacy risks and how to mitigate them
  • Documents & Assessments
    • Information to data subjects
      • When to use a privacy notice?
      • Content and examples of privacy notices
      • Form of a privacy notice
    • Informed consent
      • Consent step-by-step
      • Requirements for valid consent
      • What forms of consent are valid?
      • Demonstrating (valid) consent
      • Broad consent in research
      • Examples and templates
    • Privacy scan
      • When to use a privacy scan?
      • Examples and templates
    • Data Protection Impact Assessment
      • The process of performing a DPIA
      • Examples and templates
    • Legitimate interest assessment
      • How to do a legitimate interest assessment?
      • Examples and templates
    • Data Transfer Impact Assessment
      • What is a third-country transfer?
      • Goal and content of a DTA
      • Examples and templates
    • Processing register
    • Agreements
      • How to set up an agreement?
      • Non-disclosure agreement
      • Data processing agreement
      • Data Transfer Agreement
      • Joint controllers agreement
      • Data Use Agreement
      • Standard Contractual Clauses for international transfers
  • Techniques & Tools
  • Research scenarios
  • Pseudonymisation & Anonymisation
  • Statistical privacy
    • Statistical disclosure control
    • K-anonymity and its descendents
    • Differential privacy
  • Secure computing
  • Other techniques
    • Encryption
    • Synthetic Data
    • Data donation
  • Tools & Services
    • Utrecht University tool finders
    • Tools to deidentify, synthetise and work safely with personal data
    • Requirements for a third-party tool
      • 1. Who is processing the personal data: arrange an agreement
      • 2. Security level
  • Storage, Sharing, Publication
  • Storing personal data
    • Chapter summary
    • Where should I store personal data?
      • Storage media at UU
    • How should I store personal data?
    • For how long should I store personal data?
      • Deleting personal data
  • Sharing data with collaborators
  • Sharing data for reuse
    • Sharing anonymised data
    • Sharing personal data with a legal basis
      • 1. Be transparent
      • 2. Make sure you have a legal basis
      • 3. Protect the data while sharing
      • 4. Make your data FAIR
    • Alternatives to sharing personal data
      • Publish metadata and documentation
      • Use other techniques and strategies to enable reuse
  • Use Cases
  • Data minimisation in a survey
  • Data pseudonymisation
  • Publishing metadata
  • Reusing education data for research
  • Resources
  • Seeking help at Utrecht University
    • Education
    • Online information
    • In-person support
  • Glossary
  • Resources
  • Visit the GitHub repository

Data Privacy Handbook

Informed consent

Of the 6 possible legal bases to process personal data, informed consent is currently the one most often used in research. With the term consent, we mean the process of data subjects deciding whether or not to agree to specific statements, such as a statement to participate in a research project.

Consent step-by-step

  1. Determine if consent if the legal basis you need

    Determine if consent is the legal basis you need for your research: there are other legal bases besides consent which can sometimes be more suitable in a research context.

    In some situations, consent is likely the only way to process data, for example, if you want to process special categories of personal data, or if you process personal data from people who are incapable of giving consent or from children under 16 years old. In the latter case, the GDPR requires to obtain additional obtain consent from a legal representative (e.g., parent), and there are additional requirements when your research falls under the Dutch Medical Research Involving Human Subjects Act.

  2. Consider if you meet all requirements for consent
    If you need to use consent as a legal basis, consider if you meet all requirements listed below. If you do not, consent is not a valid legal basis, and you should consider another one.
  3. Determine what you will ask consent for
    Determine what specifically you are asking consent for. If you cannot determine a specific purpose, for instance because your research question is not yet entirely clear, contact your privacy officer to consider obtaining broad consent.
  4. Prepare information for data subjects
    Prepare a privacy notice or information letter for data subjects to inform them before asking for their consent.
  5. Obtain demonstrable consent
    Different forms of consent are valid. Note that often a signature is not required.
  6. Keep the consent forms available
    Treat the consent declarations as personal data: store them separately and securely from the research data, and for as long as your research data contain personal data.

Note that the term “consent” is used both in the GDPR as well as in an ethical context. As a legal basis, data subjects give consent to process their personal data (e.g., “I consent to my data a, b, c be used for purpose x, y, z”). In an ethical context, consent is a safeguard to give data subjects more control over their personal data, and makes sure they participate voluntarily in the research project (e.g., “I have read the information and agree to participate under the conditions described”). Thus, it can happen that consent is not be the best legal basis to use, but should still be used as an ethical requirement.

Requirements for valid consent

Under the GDPR, consent is only valid when it is all of the below (art. 4, art. 7, rec. 32, rec. 42, rec. 43; click to expand):

  • Freely given
    Data subjects should have an actual voluntary choice and should not experience negative consequences if they don’t consent or withdraw their consent. Moreover, they should not be pressured to provide consent, and so there cannot be a power imbalance between the controller (e.g., researcher) and data subjects (rec. 43).

    Some examples:
    • Consent is not a valid legal basis when the researcher is also a teacher and asks their students to participate, who depend on the teacher for a good grade.
    • Consent in a clinical trial is not a valid legal basis when patients are asked to participate in the trial, but the choice to participate affects their treatment plan or treatment outcome.
    • Consent can still be used for children and persons legally incapable to provide consent when their legal representative(s) provide the consent.
  • Specific
    Data subjects should know as specifically as possible what they are asked to consent to. Separate processing purposes therefore require explicitly separate consent (rec. 32, rec. 43), and accompanying specific information that will allow the data subjects to decide if they consent or not. If consents for multiple purposes are necessary for your research, you can combine those.

    Some examples:
    • Combined consent may be possible to collect, store, analyse, and share personal data with your collaborators – all actions are needed to answer your research question.
    • Separate consent is needed for conducting a survey vs. for conducting a subsequent interview, if participation in that interview is not required for your research project.
    • Separate consent is needed for the current research project vs. for contacting data subjects for future research projects.
    • Separate consent is needed to use personal data to answer a research question vs. to link different sources of data together to do so (Gedragscode Gezondheidsonderzoek, 2022.
    • Separate consent is recommended to make the personal data available for reuse (describe the conditions under which this will be allowed).
  • Informed
    Data subjects need to be clearly and accessibly informed about which personal data are processed and why, and about their rights (see Information to data subjects). Data subjects should be able to access this information easily (also after they have provided consent).
  • Unambiguous and affirmative
    It should be clear what data subjects are providing consent for, using a clear, affirmative statement. Importantly, “silence, pre-ticked boxes or inactivity” do not constitute valid consent (rec. 32): consent should be active.
  • Retractable
    Data subjects have the right to withdraw their consent, meaning their personal data cannot be used for the research purpose anymore and have to be removed where possible. Withdrawing consent should be as easy as providing consent. It is important to make the distinction with the right to stop participating at any time (usually an ethical obligation), because the latter implies that the data collected up until that point can still be used for the research project.

What forms of consent are valid?

The way you obtain consent may differ per research project and can depend on how you interact with your data subjects. The only requirement is that it should be demonstrable and registered in a reliable manner. Some examples:

  • Ticking a box (not pre-ticked!)
  • Writing or replying to an email (“I agree to be interviewed”)
  • Filling in an electronic form
  • Audio- or video-recorded consent (separate it from the research data!)
  • Signing a paper document (not usually necessary)

To sign or not to sign?

Signatures in consent forms are rarely needed. In fact, if you are only processing pseudonymised research data, you will only collect unnecessary personal data by obtaining a signature (art. 11), and a checkbox should be sufficient. In order to link the consent form with the data subject, you should include the pseudonym on the consent form (the identifier you will use for the participant, e.g., “part-001”). Inform your participants of this pseudonym; they can use it to exercise their rights under the GDPR, such as for withdrawing their consent.

Only when the identity of the data subjects will be used in the process (e.g., clinical trials), a signature may make sense or be required. For example, if your research is subject to the Dutch Medical Research Involving Human Subjects Act (WMO), different requirements may apply.

Demonstrating (valid) consent

As long as you process personal data, you should be able to demonstrate that the data subjects consented to that processing (rec. 42). So as long as you analyse, use, store, archive, etc. the personal data, the proof of consent needs to be retained. It is preferable to store the proofs separately from the research data. If you collected consent on paper, it is best practice to scan the consent forms and securely delete the paper version after having made sure the scanning went well. Only after there is no personal data anymore (e.g., after fully anonymising the dataset), you can remove the proof of consent.

Broad consent in research

In research, it can sometimes be difficult to formulate very specific research questions in advance. In this case, you may be able to formulate the research purposes on a more general level and obtain consent for these more general purposes (EDPS, 2020; Deutsche Datenschutzkonferenz, 2019). However, you can do this only as long as:

  • data subjects can give consent to only part of the research and easily withdraw consent (rec. 33).
  • data subjects are kept informed as specifically as possible about what will happen to their personal data. As soon as you know more, you should also inform data subjects in more detail. Your use of the personal data should fall within the line of expectation from data subjects.
  • you use additional protection measures, for example:
    • obtain ethical approval for using the data for new research questions.
    • offer a consent withdrawal possibility before using the data for new research questions. This is especially relevant when it is still possible to reliably identify data subjects in the dataset.
    • make sure the data are not transferred to countries outside of the EEA, unless one of the derogations from GDPR Chapter V applies (e.g., adequacy decision, standard contractual clauses, explicit consent for transfer).
    • enforce specific requirements for access the data, e.g., “research in general” is not a sufficiently specific purpose for reuse of the personal data.
  • you document your considerations and ask for help from a privacy officer.

Broad consent under the GDPR needs to be distinguished from “General consent” as defined by the Dutch Code of Conduct for health researchers, that is: for medical research, different requirements may (additionally) apply.

Examples and templates

Note that all examples below assume that they are preceded by sufficiently specified information.

Example sentences
Good example sentences:
  • “I consent to the collection and use of my personal data to answer the research question described in the information letter.”
  • “I consent to linking the new research data to data previously collected about me in this research project.”
  • “I agree that research data gathered for the study may be published or made available provided my name or other identifying information is not used.”
  • “I understand that the research data, without any personal information that could identify me (not linked to me) may be shared with other researchers.”
Bad example sentences:
  • “Any information I give will be used for this research project only and will not be used for any other purpose”: this restricts all future uses of the data, including sharing the data with your collaborators, performing analyses for new research questions, and sharing the data for reuse. It’s preferred to tell data subjects how their data can be safely used in different ways.
  • “I do not give consent to share my data”: this sentence is ambiguous and may confuse data subjects.
  • “I acknowledge that the personal data collected by the researcher belongs to the university and that I have no rights in the research performed on it”: it is not allowed to deny data subjects their data subjects’ rights.

Utrecht University logo

Data Privacy Handbook

The information presented here is provided as is, with no guarantees of accuracy or completeness. For the most up-to-date information, please refer to your privacy officer, the university website or intranet. We cannot be held responsible for any negative consequences due to incorrect interpretation or use, and inconsistencies with policies/views of other institutions.

💡 Give feedback about this page