To be lawful, the processing of personal data must be based on one of the legal grounds provided in the General Data Protection Regulation (GDPR).

If the processing of personal data within your research project is based on the consent of the data subject as the legal basis, this consent must meet several conditions.

1. Informing data subjects

You must inform data subjects in an understandable and easily accessible form and in clear and simple language about the objectives of your research and how their personal data will be processed.

2. Unambiguous, free and specific consent

The consent must be unambiguous, free and specific, and you must inform the data subjects of each purpose for which the data is processed.

You may not use pre-ticked boxes for this. Interpreting a lack of activity of data subjects as giving consent is also not permitted. In these cases, this is not ‘free’ consent.

3. Consent for each processing activity

Consent must be given for each individual processing activity.

For example, a 'general' consent for 'scientific research' is not valid. You must as the researcher describe it in greater detail (if possible). The consent is also not valid if it is a 'take it or leave it’ principle, where the data subject must either agree to everything or to nothing. 

4. Right to withdraw consent

Under the GDPR, data subjects have the right to withdraw their consent at any time.

As a researcher, it is important that you inform data subjects about how they can easily withdraw their consent. If the data subject cannot exercise this right because the exercise of this right entails fundamental risks to achieve your research purpose (as motivated in the GDPR register), then you should mention this.

5. Documenting consent

It is very important to document the (written or oral) consent.

6. Periodic evaluation of consent

Consent given can lose its value over time.

The 'expiry date' of the consent will depend on the context of the research project and on the original consent. As a researcher, it is important to regularly evaluate whether the consent obtained is still consistent with your current research activities.

Broad consent for research

The GDPR acknowledges that it is not always possible for research to fully describe the purpose of data processing at the time of data collection.

For this reason, the GDPR stipulates that the data subjects must have the opportunity to give their consent for certain areas of scientific research ('broad consent') in which recognised ethical standards for scientific research are observed. Hereby it is important to also consider other regulations that are relevant, such as those for clinical studies, etc.

More information

• Privacy and research