We use Matomo analytics to track your visit to the Data Privacy Handbook. You can read how in our privacy statement.

  • Utrecht University logo
  • Intro
  • Data Privacy Handbook
    • About
      • License and Citation
      • Contributions
    • How to use this Handbook
      • What are you looking for?
    • Disclaimer
    • Your own privacy
  • Get started
  • 10 steps to get started
  • Typical privacy issues in…
    • Interview research
      • Recording the interview
      • Oral or written information for participants
      • Legal basis: consent or public interest
      • Collecting unnecessary personal data
      • Transcription
      • Anonymisation
      • Sharing interview data for publication and reuse
    • Social media research
      • Typical issues in social media research
      • Further reading
  • Privacy FAQs
    • General questions
    • Procedures and responsibilities
    • Informed consent
    • Legal questions
    • Storing personal data
    • Sharing, publishing and reusing personal data
    • Practical questions
    • Students and student data
    • Finding support
  • Knowledge Base
  • The GDPR
    • Chapter summary
    • What is the GDPR?
    • Definitions in the GDPR
    • Principles in the GDPR
    • Data Subjects’ Rights
  • What are personal data?
    • Definition of personal data
    • How to assess whether data contain personal data?
    • Special types of personal data
      • Special categories of personal data
      • Data that are otherwise sensitive
  • Legal bases
    • Legal bases suitable for research
    • Legal bases generally not suitable for reseach
    • Further processing for research purposes
    • Which legal basis to use?
    • Public interest
      • What does it mean to use public interest as a legal basis?
      • When to use public interest as a legal basis?
      • When is public interest less suitable as a legal basis?
      • What are my obligations when using public interest?
    • Consent
      • Different types of consent
      • Consent step-by-step
      • When to use consent as a legal basis?
      • Requirements for valid consent
      • What forms of consent are valid?
      • Demonstrating (valid) consent
      • Broad consent in research
      • Examples and templates
    • Legitimate interest
      • When to (not) use legitimate interest as a legal basis?
      • What are my obligations when using legitimate interest?
      • Legitimate interest assessment
      • Examples and templates
  • Risk Assessment
    • How to assess privacy risks?
      • Risk assessment step by step
    • What are high-risk operations?
      • Examples of high-risk scenarios
    • Data classification
      • Classification levels
    • Examples of risks and how to mitigate them
      • Unwarranted access to personal data
      • Loss of personal data
      • Unintended collection of personal data
      • Invalid legal basis
      • Risks for data subjects
  • How To
  • Designing your project
    • Privacy scan
      • When to use a privacy scan?
      • Examples and templates
    • Data Protection Impact Assessment
      • The process of performing a DPIA
      • Examples and templates
    • Privacy by Design strategies
      • control icon Control
      • enforce icon Enforce
      • demonstrate icon Demonstrate
    • Information to data subjects
      • When to use a privacy notice?
      • Form of a privacy notice
      • Content and examples of privacy notices
    • Processing register
  • Storing personal data
    • Chapter summary
    • Where should I store personal data?
    • How should I store personal data?
    • For how long should I store personal data?
      • Deleting personal data
  • Sharing data with collaborators
    • Third-country transfers
      • What is a third-country transfer?
      • When is a third-country transfer possible?
    • Data Transfer Impact Assessment
      • Goal and content of a DTA
      • Content of a DTIA
      • Examples and templates
    • Agreements
      • How to set up an agreement?
      • Non-disclosure agreement
      • Data processing agreement
      • Data Transfer Agreement
      • Joint controllers agreement
      • Data Use Agreement
      • Standard Contractual Clauses for international transfers
  • Sharing data for reuse
    • Sharing anonymised data
    • Sharing personal data with a legal basis
      • 1. Be transparent
      • 2. Make sure you have a legal basis
      • 3. Protect the data while sharing
      • 4. Make your data FAIR
    • Alternatives to sharing personal data
      • Publish metadata and documentation
      • Use other techniques and strategies to enable reuse
  • Techniques & Tools
  • Pseudonymisation & Anonymisation
    • What are pseudonymisation and anonymisation?
      • Pseudonymisation
      • Anonymisation
      • The identifiability spectrum
      • When are data anonymous?
      • Alternatives to anonymisation
    • Step-by-step de-identification
    • De-identification techniques
    • Tools and further reading
  • Statistical approaches to de-identification
    • K-anonymity, l-diversity and t-closeness
      • Identifiers, quasi-identifiers, and sensitive attributes
      • How it works
      • When to use
      • Implications for research
      • Further reading
    • Differential privacy
      • How it works
      • Implications for research
      • When to use
      • Further reading
  • Secure computation
    • “Regular” data analysis: data-to-code
      • When to use
      • Implications for research
      • Examples
    • Code-to-data (one data provider)
      • When to use
      • Implications for research
      • Examples
    • Federated analysis
      • When to use
      • Implications for research
      • Examples
    • Cryptographic techniques
      • Secure multiparty computation
      • Confidential computing
      • (Fully) homomorphic encryption
  • Other techniques
    • Encryption
      • Types of encryption
      • When to use
      • Implications for research
      • Tools and resources
    • Synthetic Data
      • When to use
      • Implications for research
      • Tools and resources
    • Data donation
      • When to use
      • Implications for research
      • Examples and resources
  • Tools & Services
    • Utrecht University tool finders
    • Tools to deidentify, synthetise and work safely with personal data
    • Requirements for a third-party tool
      • 1. Who is processing the personal data: arrange an agreement
      • 2. Security level
  • Use Cases
  • Data minimisation in a survey
  • Data pseudonymisation
    • General steps
    • Pseudonymisation per data type
  • Publishing metadata
  • Reusing education data for research
  • Resources
  • Seeking help at Utrecht University
    • Education
    • Online information
    • In-person support
  • Glossary
  • Resources
  • Visit the GitHub repository

Data Privacy Handbook

Consent

On this page: consent, consent form, informed consent form, legal basis
Date of last review: 2023-10-02

Of the 6 possible legal bases to process personal data, consent is currently the one most often used in research, although it may not always be the most appropriate one. With the term consent, we mean the process of data subjects deciding whether or not to agree to specific statements, such as a statement to collect and analyse their data to answer the research question.

Different types of consent

The term “consent” is used both in the GDPR as well as in an ethical context:

  • In the GDPR, consent can be a legal basis, where data subjects give consent to process their personal data (e.g., “I consent to my data a, b, c being used for purpose x, y, z”). Instead of this “GDPR consent”, you can often also use another legal basis to process personal data in your research, such as public interest.
  • In the GDPR, consent can also be a way to lift the ban on processing special categories of personal data. Importantly, in some cases, you should use consent to allow the use of special categories of personal data, but still use public interest as the main legal basis in your research project.
  • In an ethical context, informed consent is a safeguard to make sure that data subjects participate voluntarily in the research project (e.g., “I have read the information and agree to participate under the conditions described”). This type of informed consent is required in most types of research involving humans, irrespective of which legal basis is used.

Even if consent is not the legal basis, you may still need to ask consent for processing special categories of personal data, or to ascertain voluntary participation in your study. All requirements outlined below concern consent as meant by the GDPR.

Consent step-by-step

  1. Determine if consent is the legal basis you need
    Consent is not the only legal basis suitable for scientific research. In many cases, public interest is very suitable as well (sometimes more suitable) in a research context.

  2. Consider if you meet all requirements for consent
    If you need to use consent as a legal basis, consider if you meet all requirements listed below. If you do not, consent is not a valid legal basis, and you should consider another one.

  3. Determine what you will ask consent for
    Determine what specifically you are asking consent for. If you cannot determine a specific purpose, for instance because your research question is not yet entirely clear, contact your privacy officer to consider obtaining broad consent.

  4. Prepare information for data subjects
    Prepare a privacy notice or information letter for data subjects to inform them before asking for their consent.

  5. Obtain demonstrable consent
    Different forms of consent are valid. Note that often a signature is not required.

  6. Keep the consent forms available
    Treat the consent declarations as personal data: store them securely, separately from the research data, and for as long as your research data contain personal data.

When to use consent as a legal basis?

Consent is mostly suitable for scientific research for which the legal basis of public interest is not suitable, such as research in which:

  • special categories of personal data form the core data in the dataset.
    In that case, explicit consent is often needed in order to overcome the ban on using these types of personal data. When the dataset is rendered useless when stripping it of the special categories, consent is likely the best legal basis. However, when the special categories are easy to strip from the dataset, leaving a perfectly reusable dataset with “regular” personal data, public interest could still be used as a legal basis, leaving consent to only be the way to lift the ban of using special categories of personal data.
  • it is important to give data subjects a maximum amount of control over their personal data
    This can be an ethical requirement, but sometimes the possibility of providing (and withdrawing) consent can also be an additional reason for data subjects to participate. It can tip the balance.
  • arrangements with data subjects need to be registered anyways

    For example for the use of private material (like diaries; you need consent from a copyright perspective) and for the production and publication of audio or video recordings (portrait rights). It could then make more sense to use consent for all processing activities. This is because consent is required anyways if you want to use video or audio recordings for broader purposes than scientific research purposes, such as playback during lectures or conferences, placement on a website, transfer to a national archive, etc.

  • personal data are collected to be (re)used for purposes other than scientific research
    Reuse for non-scientific purposes would need its own (new) legal basis, such as consent or legitimate interest.
  • personal data are transferred to a country outside of the European Economic Area (EEA)
    Consent may be required when data are transferred to a third country, which does not have an adequate level of data protection, and no extra protection measures are available or possible. Please contact your privacy officer to assess whether this situation applies to you.

Requirements for valid consent

Under the GDPR, consent is only valid when it is all of the below (art. 4, art. 7, rec. 32, rec. 42, rec. 43; click to expand):

  • Freely given
    Data subjects should have an actual voluntary choice and should not experience negative consequences if they don’t consent or withdraw their consent. Moreover, they should not be pressured to provide consent, and so there cannot be a power imbalance between the controller (e.g., researcher) and data subjects (rec. 43).

    Some examples:
    • Consent is not a valid legal basis when the researcher is also a teacher and asks their students to participate, who depend on the teacher for a good grade.
    • Consent is not a valid legal basis when a research director investigates the employees of their own faculty.

    Consent can still be used for children and persons legally incapable to provide consent when their legal representative(s) provide the consent.

  • Specific
    Data subjects should know as specifically as possible what they are asked to consent to. Separate processing purposes therefore require explicitly separate consent (rec. 32, rec. 43), and accompanying specific information that will allow the data subjects to decide if they consent or not. If consents for multiple purposes are necessary for your research, you can combine those.

    Some examples:
    • Combined consent may be possible to collect, store, analyse, and share personal data with your collaborators – all actions are needed to answer your research question.
    • Separate consent is needed for conducting a survey vs. for conducting a subsequent interview, if participation in that interview is not required for your research project.
    • Separate consent is needed for the current research project vs. for contacting data subjects for future research projects.
    • Separate consent is needed to use personal data to answer a research question vs. to link different sources of data together to do so (Code of Conduct Dutch Health Research, 2022.
    • New consent is needed to make the personal data available for reuse to a specific party for a specific purpose (describe the conditions under which this will be allowed).
  • Informed
    Data subjects need to be clearly and accessibly informed about which personal data are processed and why, and about their rights (see Information to data subjects). Data subjects should be able to access this information easily (also after they have provided consent).
  • Unambiguous and affirmative

    It should be clear what data subjects are providing consent for, using a clear, affirmative statement. Importantly, “silence, pre-ticked boxes or inactivity” do not constitute valid consent (rec. 32): consent should be active.

  • Retractable
    Data subjects have the right to withdraw their consent, meaning their personal data cannot be used for the research purpose anymore and have to be removed where possible. Withdrawing consent should be as easy as providing consent. It is important to make the distinction with the right to stop participating at any time (usually an ethical obligation), because the latter implies that the data collected up until that point can still be used for the research project.

What forms of consent are valid?

The way you obtain consent may differ per research project and can depend on how you interact with your data subjects. The only requirement is that it should be demonstrable and registered in a reliable manner. Some examples:

  • Ticking a box (not pre-ticked!)
  • Writing or replying to an email (“I agree to be interviewed”)
  • Filling in an electronic form
  • Audio- or video-recorded consent (separate it from the research data!)
  • Signing a paper document (not usually necessary)

To sign or not to sign?

Signatures in consent forms are rarely needed. In fact, if you are only processing pseudonymised research data, you will only collect unnecessary personal data by obtaining a signature (art. 11), and a checkbox should be sufficient. In order to link the consent form with the data subject, you should include the pseudonym on the consent form (the identifier you will use for the participant, e.g., “part-001”). Inform your participants of this pseudonym; they can use it to exercise their rights under the GDPR, such as for withdrawing their consent.

Only when the identity of the data subjects will be used in the process (e.g., clinical trials), a signature may make sense or be required. For example, if your research is subject to the Dutch Medical Research Involving Human Subjects Act (WMO), different requirements may apply.

Demonstrating (valid) consent

As long as you process personal data, you should be able to demonstrate that the data subjects consented to that processing (rec. 42). So as long as you analyse, use, store, archive, etc. the personal data, the proof of consent needs to be retained. It is preferable to store the proofs separately from the research data. If you collected consent on paper, it is best practice to scan the consent forms and securely delete the paper version after having made sure the scanning went well. Only after there is no personal data anymore (e.g., after fully anonymising the dataset), you can remove the proof of consent.

Broad consent in research

In research, it can sometimes be difficult to formulate very specific research questions in advance. In this case, you may be able to formulate the research purposes on a more general level and obtain consent for these more general purposes (EDPS, 2020; Deutsche Datenschutzkonferenz, 2019). However, you can do this only as long as:

  • data subjects can give consent to only part of the research and easily withdraw consent (rec. 33).
  • data subjects are kept informed as specifically as possible about what will happen to their personal data. As soon as you know more, you should also inform data subjects in more detail. Your use of the personal data should fall within the line of expectation from data subjects.
  • you use additional protection measures, for example:
    • obtain ethical approval for using the data for new research questions.
    • offer a consent withdrawal possibility before using the data for new research questions. This is especially relevant when it is still possible to reliably identify data subjects in the dataset.
    • make sure the data are not transferred to countries outside of the EEA, unless one of the derogations from GDPR Chapter V applies (e.g., adequacy decision, standard contractual clauses, explicit consent for transfer).
    • enforce specific requirements for access the data, e.g., “research in general” is not a sufficiently specific purpose for reuse of the personal data.
  • you document your considerations and ask for help from a privacy officer.

Broad consent under the GDPR needs to be distinguished from “General consent” as defined by the Dutch Code of Conduct for health researchers, that is: for medical research, different requirements may (additionally) apply.

Examples and templates

Note that all examples below assume that they are preceded by sufficiently specified information.

Example sentences
Good example sentences:
  • “I consent to the collection and use of my personal data to answer the research question described in the information letter.”
  • “I consent to linking the new research data to data previously collected about me in this research project.”
  • “I agree that research data gathered for the study may be published or made available provided my name or other identifying information is not used.”
  • “I understand that the research data, without any personal information that could identify me (not linked to me) may be shared with other researchers.”
Bad example sentences:
  • “Any information I give will be used for this research project only and will not be used for any other purpose”: this restricts all future uses of the data, including sharing the data with your collaborators, performing analyses for new research questions, and sharing the data for reuse. It’s preferred to tell data subjects how their data can be safely used in different ways.
  • “I do not give consent to share my data”: this sentence is ambiguous and may confuse data subjects.
  • “I acknowledge that the personal data collected by the researcher belongs to the university and that I have no rights in the research performed on it”: it is not allowed to deny data subjects all their data subjects’ rights.

Utrecht University logo

Data Privacy Handbook

The information presented here is provided as is, with no guarantees of accuracy or completeness. For the most up-to-date information, please refer to your privacy officer, the university website or intranet. We cannot be held responsible for any negative consequences due to incorrect interpretation or use, and inconsistencies with policies/views of other institutions.

Privacy policy | Cite the Data Privacy Handbook