GDPR: what information should I include in an informed consent form when the processing of personal data is based on the consent of the data subjects?
To be lawful, the processing of personal data must be based on one of the legal grounds provided in the General Data Protection Regulation (GDPR).
If the processing of personal data within your research project is based on the consent of the data subject as the legal basis, this consent must meet several conditions.
1. Informing data subjects
You must inform data subjects in an understandable and easily accessible form and in clear and simple language about the objectives of your research and how their personal data will be processed.
In the research tip about how to be transparent to data subjects, you will find information and a checklist for drawing up an information letter.
2. Unambiguous, free and specific consent
The consent must be unambiguous, free and specific, and you must inform the data subjects of each purpose for which the data is processed.
You may not use pre-ticked boxes for this. Interpreting a lack of activity of data subjects as giving consent is also not permitted. In these cases, this is not ‘free’ consent.
3. Consent for each processing activity
Consent must be given for each individual processing activity.
For example, a 'general' consent for 'scientific research' is not valid. You must as the researcher describe it in greater detail (if possible). The consent is also not valid if it is a 'take it or leave it’ principle, where the data subject must either agree to everything or to nothing.
4. Right to withdraw consent
Under the GDPR, data subjects have the right to withdraw their consent at any time.
As a researcher, it is important that you inform data subjects about how they can easily withdraw their consent. If the data subject cannot exercise this right because the exercise of this right entails fundamental risks to achieve your research purpose (as motivated in the GDPR register), then you should mention this.
5. Documenting consent
It is very important to document the (written or oral) consent.
6. Periodic evaluation of consent
Consent given can lose its value over time.
The 'expiry date' of the consent will depend on the context of the research project and on the original consent. As a researcher, it is important to regularly evaluate whether the consent obtained is still consistent with your current research activities.
Broad consent for research
The GDPR acknowledges that it is not always possible for research to fully describe the purpose of data processing at the time of data collection.
For this reason, the GDPR stipulates that the data subjects must have the opportunity to give their consent for certain areas of scientific research ('broad consent') in which recognised ethical standards for scientific research are observed. Hereby it is important to also consider other regulations that are relevant, such as those for clinical studies, etc.
More information
More tips
- GDPR: Can I share research data with personal data with other researchers or institutions when my research project has ended? (Integrity in science)
- GDPR: how am I transparent to data subjects in my research? (Integrity in science)
- GDPR: how can I ensure that the processing of personal data is lawful? (Integrity in science)
- GDPR: how can I protect my data correctly? (Integrity in science)
- GDPR: how do I register personal data processing activities? (Integrity in science)
- GDPR: how long can research data containing personal data be stored? (Integrity in science)
- GDPR: what are personal data? (Integrity in science)
- GDPR: what are the basic principles? (Integrity in science)
- GDPR: what are the different roles and responsibilities according to the GDPR? (Integrity in science)
- GDPR: What do I need to think about when transferring personal data to third countries or international organisations? (Integrity in science)
- GDPR: what has changed with regard to the previous privacy legislation? (Integrity in science)
- GDPR: what is the General Data Protection Regulation? (Integrity in science)
- GDPR: what rights do data subjects have, how do I respect them and what exceptions may apply to research? (Integrity in science)
- GDPR: What should I do if there is a data breach? (Integrity in science)
- GDPR: what should I do in the event of further/secondary processing of personal data? (Integrity in science)
- GDPR: what should I keep in mind when designing my research? (Integrity in science)
- GDPR: what should I keep in mind when processing special categories of personal data? (Integrity in science)
- GDPR: What should I think about when I collaborate with others or share my data? (Integrity in science)
- GDPR: What should I think about when processing personal data from minors? (Integrity in science)
- GDPR: When am I processing high-risk personal data and when do I need to conduct a DPIA? (Integrity in science)
- GDPR: when does it apply to my research? (Integrity in science)
- GDPR: who are considered as vulnerable persons? (Integrity in science)
- GDPR: why is it important to comply with this legislation? (Integrity in science)
Translated tip
Last modified Oct. 1, 2020, 11:32 a.m.