The content on this page was updated in October 2021. Please note that we will be updating these pages continuously.
As a researcher you will often come across situations in which you are under a legal obligation to obtain consent for participation from coming participants (data subjects) in your research project, or in which it is simply good practice or ethical to do so.
It is important that you are aware that these consent requirements do not necessarily entail that you should employ such consent as the legal basis for processing the subjects’ data. In fact, quite often it will be more appropriate to employ a legal basis other than consent as the legal basis for processing personal data for your research.
In the words of the Danish Data Protection Agency:
“Especially in connection with research, it is important not to confuse consent to process personal data with a consent requirement that follows from other relevant legislation. While you might be obligated to obtain ‘consent’ pursuant to other legislation, this does not necessarily mean that consent has been granted as defined by data protection legislation. The requirement to obtain ‘consent’ of this kind will often constitute an important procedural rule in other legislation, but this does not necessarily mean that such consent can serve as the legal basis for the processing of personal data.”
Source: The Danish Data Protection Agency report "Bidrag fra Datatilsynet: Erfaringsindsamling i forbindelse med Justitsministeriets nationale evaluering af databeskyttelsesreglerne", April 2021
Find out more about the different legal bases basis for processing personal data in research on the website. You’ll also find more information about the special conditions that determine whether consent can serve as a legal basis for the processing of personal data.
If you choose to process personal data on the legal basis of valid consent to data processing, you are responsible for ensuring that valid and documented consent is obtained pursuant to data protection law.
AU has two templates for obtaining valid consent pursuant to data protection law. These consist of a consent form and an information form. By filling out both forms, you will have met your obligation to obtain valid consent pursuant to data protection law as well as your information duty.
Before processing personal data, you must determine whether Aarhus University is an independent data controller or a joint controller together with an external party.
You can find a guide to fill out the consent form and information duty in the template.
Consent must be documented. Therefore, you should obtain written consent. You can use the AU consent form.
You also have to document that the data subjects have received the information required for the consent to be valid as well as the information required to meet the information duty. You can use the AU form to meet the information duty.
As a general rule, data subjects can exercise all of their rights under the General Data Protection Regulation. If data subjects want to exercise their rights, you have to make an individual assessment based on the specific circumstances.
Data subjects are also entitled to withdraw their consent. This means that you must stop processing their personal data.
Here you can find the conditions for a valid consent to data processing. A valid consent must be given freely, be specific, be informed, be an unambiguous indication of the data subject's wishes, be withdrawable and communicated in clear and easy-to-understand language in an easily accessible form.
Given freely means that the data subjects (the persons whose personal data will be processed) may not be and cannot be affected negatively if they choose to say no to having their data processed.
You should therefore consider:
For consent to be given freely, the persons who give their consent must have the option of saying 'yes ' or 'no' to different processing purposes.
A data subject may want to give consent to the use of their personal data in your research project, but not want you to use the data for teaching purposes or for publication.
For a consent to be specific it must be specific about the processing purpose(s) for which consent is given.
You must therefore specify for which purposes you intend to process the personal data of your data subjects. As a minimum, the purpose should be sufficiently specific to make it clear to the data subjects that your research (and thus processing of their personal data) will be in a specifically recognised scientific field.
Informed means that the data subjects should have information about who will process their personal data and how the data will be processed.
The data subject's consent must be given on an informed basis.
See what information the data subject should be provided with in the consent form and the associated appendices for meeting the information duty.
Unambiguous indication of the data subject’s wishes means that data subjects must actively consent to the processing of their personal data. In other words, no data subject can commit to anything by being passive.
The research coordinator must be able to document that consent has been given.
This can be done in several ways. For example, you can use the AU consent form. If you use the AU consent form, the data subjects have to tick off the processing purposes that they give consent to and then sign the form.
If you collect consents digitally, you can use a form on the AU website with checkboxes that then document the data subjects' choices in TYPO3. See GDPR guidelines for web editors. You can also use a two-factor authentication system. In this case, you can, for example, obtain consent via a checkbox solution on the website and then send a confirmation email to the participant with a link they can use to confirm their consent.
For a consent to be withdrawable, the consent must be just as easy to withdraw as it was to give.
Remember to include information in the consent form on how data subjects can withdraw their consent. For example, this could be by calling, sending an email or logging into their profile and unchecking the relevant boxes.
If consent is withdrawn, processing of personal data must stop. Any processing performed up to the point of withdrawal is lawful.
The wording of a consent must take account of the data subjects who are to give the consent. The language of the consent must therefore be plain (in layman's terms).
The design of the consent is subject to special requirements if the data subjects are children. For example, you may have to use a different style of language for the consent than if the participants were adults. However, this will always depend on a specific assessment. To ensure that your style is easy to understand, you should:
See the AU consent form. Note that you may have to make adjustments to the form, depending on the data subjects you want for your research project.
A legal basis for data transfer is necessary whenever personal data (making available or disclosure) is shared. The informed consent of the data subject may constitute a legal basis for data transfer under certain conditions.
In addition to complying with the standard conditions for valid consent to data processing, the informed consent must be:
☐ I consent to the sharing of my personal data with [insert receiver/research institution] in [insert country or international organisation], which is outside the EU/EEA, even though the rules of the General Data Protection Regulation do not apply to the processing of personal data by the relevant foreign research institution. I have been informed that the level of protection of personal data does not correspond to the level guaranteed in the European Union, including that the transferred personal data during or after the transfer may be processed by the authorities in the third country in question in the interests of public safety, defence and state security. I have also been informed that the third land may not have an independent supervisory authority with responsibility for guaranteeing and enforcing data protection rules, including adequate enforcement powers to assist and advise data subjects in the exercise of their rights, just as there may not be access to an effective judicial remedy to address infringement of the rights of the data subject.
The data protection rules include special protection for data concerning children, particularly with regard to information society services, e.g. social networks. Consent must be obtained from the holders of parental authority over the child, and this consent must be documented. Furthermore, all information addressed at children must be written in a clear and straightforward manner that children can understand.