GDPR: what information should I include in an informed consent form when the processing of personal data is based on the consent of the data subjects?

To be lawful, the processing of personal data must be based on one of the legal grounds provided in the General Data Protection Regulation (GDPR).

If the processing of personal data within your research project is based on the consent of the data subject as the legal basis, this consent must meet several conditions.

1. Informing data subjects

You must inform data subjects in an understandable and easily accessible form and in clear and simple language about the objectives of your research and how their personal data will be processed.

In the research tip about how to be transparent to data subjects, you will find information and a checklist for drawing up an information letter.

2. Unambiguous, free and specific consent

The consent must be unambiguous, free and specific, and you must inform the data subjects of each purpose for which the data is processed.

You may not use pre-ticked boxes for this. Interpreting a lack of activity of data subjects as giving consent is also not permitted. In these cases, this is not ‘free’ consent.

3. Consent for each processing activity

Consent must be given for each individual processing activity.

For example, a 'general' consent for 'scientific research' is not valid. You must as the researcher describe it in greater detail (if possible). The consent is also not valid if it is a 'take it or leave it’ principle, where the data subject must either agree to everything or to nothing.

4. Right to withdraw consent

Under the GDPR, data subjects have the right to withdraw their consent at any time.

As a researcher, it is important that you inform data subjects about how they can easily withdraw their consent. If the data subject cannot exercise this right because the exercise of this right entails fundamental risks to achieve your research purpose (as motivated in the GDPR register), then you should mention this.

5. Documenting consent

It is very important to document the (written or oral) consent.

6. Periodic evaluation of consent

Consent given can lose its value over time.

The 'expiry date' of the consent will depend on the context of the research project and on the original consent. As a researcher, it is important to regularly evaluate whether the consent obtained is still consistent with your current research activities.

Broad consent for research

The GDPR acknowledges that it is not always possible for research to fully describe the purpose of data processing at the time of data collection.

For this reason, the GDPR stipulates that the data subjects must have the opportunity to give their consent for certain areas of scientific research ('broad consent') in which recognised ethical standards for scientific research are observed. Hereby it is important to also consider other regulations that are relevant, such as those for clinical studies, etc.

More information

Privacy and research

More tips

Consent in research – ethics & privacy (GDPR) (Research integrity & ethics)
GDPR: Can I share research data with personal data with other researchers or institutions when my research project has ended? (Research integrity & ethics)
GDPR: how am I transparent to data subjects in my research? (Research integrity & ethics)
GDPR: how can I ensure that the processing of personal data is lawful? (Research integrity & ethics)
GDPR: how can I protect my data correctly? (Research integrity & ethics)
GDPR: how do I register personal data processing activities? (Research integrity & ethics)
GDPR: how long can research data containing personal data be stored? (Research integrity & ethics)
GDPR: what are personal data? (Research integrity & ethics)
GDPR: what are the basic principles? (Research integrity & ethics)
GDPR: what are the different roles and responsibilities according to the GDPR? (Research integrity & ethics)
GDPR: What do I need to think about when transferring personal data to third countries or international organisations? (Research integrity & ethics)
GDPR: what do I need to think about when using a mailing list in the context of my research? (Research integrity & ethics)
GDPR: what has changed with regard to the previous privacy legislation? (Research integrity & ethics)
GDPR: what is the General Data Protection Regulation? (Research integrity & ethics)
GDPR: what rights do data subjects have, how do I respect them and what exceptions may apply to research? (Research integrity & ethics)
GDPR: What should I do if there is a data breach? (Research integrity & ethics)
GDPR: what should I do in the event of further/secondary processing of personal data? (Research integrity & ethics)
GDPR: what should I keep in mind when designing my research? (Research integrity & ethics)
GDPR: what should I keep in mind when processing special categories of personal data? (Research integrity & ethics)
GDPR: What should I think about when I collaborate with others or share my data? (Research integrity & ethics)
GDPR: What should I think about when processing personal data from minors? (Research integrity & ethics)
GDPR: When am I processing high-risk personal data and when do I need to conduct a DPIA? (Research integrity & ethics)
GDPR: when does it apply to my research? (Research integrity & ethics)
GDPR: who are considered as vulnerable persons? (Research integrity & ethics)
GDPR: why is it important to comply with this legislation? (Research integrity & ethics)

Translated tip

AVG: welke informatie moet ik opnemen in een informed consent formulier wanneer de verwerking van persoonsgegevens gebaseerd is op toestemming van de betrokkenen?

tags:

Research integrity & ethics

Last modified Aug. 31, 2021, 1:55 p.m.

Questions? Suggestions?

libservice@ugent.be