GDPR: what information should I include in an informed consent form when the processing of personal data is based on the consent of the data subjects?

To be lawful, the processing of personal data must be based on one of the legal grounds provided in the General Data Protection Regulation (GDPR).

If the processing of personal data within your research project is based on the consent of the data subject as the legal basis, this consent must meet several conditions.

1. Informing data subjects

You must inform data subjects in an understandable and easily accessible form and in clear and simple language about the objectives of your research and how their personal data will be processed.

In the research tip about how to be transparent to data subjects, you will find information and a checklist for drawing up an information letter.

2. Unambiguous, free and specific consent

The consent must be unambiguous, free and specific, and you must inform the data subjects of each purpose for which the data is processed.

You may not use pre-ticked boxes for this. Interpreting a lack of activity of data subjects as giving consent is also not permitted. In these cases, this is not ‘free’ consent.

3. Consent for each processing activity

Consent must be given for each individual processing activity.

For example, a 'general' consent for 'scientific research' is not valid. You must as the researcher describe it in greater detail (if possible). The consent is also not valid if it is a 'take it or leave it’ principle, where the data subject must either agree to everything or to nothing.

4. Right to withdraw consent

Under the GDPR, data subjects have the right to withdraw their consent at any time.

As a researcher, it is important that you inform data subjects about how they can easily withdraw their consent. If the data subject cannot exercise this right because the exercise of this right entails fundamental risks to achieve your research purpose (as motivated in the GDPR register), then you should mention this.

5. Documenting consent

It is very important to document the (written or oral) consent.

6. Periodic evaluation of consent

Consent given can lose its value over time.

The 'expiry date' of the consent will depend on the context of the research project and on the original consent. As a researcher, it is important to regularly evaluate whether the consent obtained is still consistent with your current research activities.

Broad consent for research

The GDPR acknowledges that it is not always possible for research to fully describe the purpose of data processing at the time of data collection.

For this reason, the GDPR stipulates that the data subjects must have the opportunity to give their consent for certain areas of scientific research ('broad consent') in which recognised ethical standards for scientific research are observed. Hereby it is important to also consider other regulations that are relevant, such as those for clinical studies, etc.

More information

Privacy and research

More tips

GDPR: Can I share research data with personal data with other researchers or institutions when my research project has ended? (Scientific Integrity)
GDPR: how am I transparent to data subjects in my research? (Scientific Integrity)
GDPR: how can I ensure that the processing of personal data is lawful? (Scientific Integrity)
GDPR: how can I protect my data correctly? (Scientific Integrity)
GDPR: how do I register personal data processing activities? (Scientific Integrity)
GDPR: how long can research data containing personal data be stored? (Scientific Integrity)
GDPR: what are personal data? (Scientific Integrity)
GDPR: what are the basic principles? (Scientific Integrity)
GDPR: what are the different roles and responsibilities according to the GDPR? (Scientific Integrity)
GDPR: What do I need to think about when transferring personal data to third countries or international organisations? (Scientific Integrity)
GDPR: what do I need to think about when using a mailing list in the context of my research? (Scientific Integrity)
GDPR: what has changed with regard to the previous privacy legislation? (Scientific Integrity)
GDPR: what is the General Data Protection Regulation? (Scientific Integrity)
GDPR: what rights do data subjects have, how do I respect them and what exceptions may apply to research? (Scientific Integrity)
GDPR: What should I do if there is a data breach? (Scientific Integrity)
GDPR: what should I do in the event of further/secondary processing of personal data? (Scientific Integrity)
GDPR: what should I keep in mind when designing my research? (Scientific Integrity)
GDPR: what should I keep in mind when processing special categories of personal data? (Scientific Integrity)
GDPR: What should I think about when I collaborate with others or share my data? (Scientific Integrity)
GDPR: What should I think about when processing personal data from minors? (Scientific Integrity)
GDPR: When am I processing high-risk personal data and when do I need to conduct a DPIA? (Scientific Integrity)
GDPR: when does it apply to my research? (Scientific Integrity)
GDPR: who are considered as vulnerable persons? (Scientific Integrity)
GDPR: why is it important to comply with this legislation? (Scientific Integrity)

Translated tip

AVG: welke informatie moet ik opnemen in een informed consent formulier wanneer de verwerking van persoonsgegevens gebaseerd is op toestemming van de betrokkenen?

tags:

Scientific Integrity

Last modified Aug. 31, 2021, 1:55 p.m.

Questions? Suggestions?

libservice@ugent.be