Valid consent to data processing

The content on this page was updated in October 2021. Please note that we will be updating these pages continuously. 


Here you can find information about consent - including requirements for a valid and documented consent and consent and information duty templates. 


There are different kinds of consent

As a researcher you will often come across situations in which you are under a legal obligation to obtain consent for participation from coming participants (data subjects) in your research project, or in which it is simply good practice or ethical to do so.  

It is important that you are aware that these consent requirements do not necessarily entail that you should employ such consent as the legal basis for processing the subjects’ data. In fact, quite often it will be more appropriate to employ a legal basis other than consent as the legal basis for processing personal data for your research.  

In the words of the Danish Data Protection Agency:

“Especially in connection with research, it is important not to confuse consent to process personal data with a consent requirement that follows from other relevant legislation. While you might be obligated to obtain ‘consent’ pursuant to other legislation, this does not necessarily mean that consent has been granted as defined by data protection legislation. The requirement to obtain ‘consent’ of this kind will often constitute an important procedural rule in other legislation, but this does not necessarily mean that such consent can serve as the legal basis for the processing of personal data.” 

Source: The Danish Data Protection Agency report "Bidrag fra Datatilsynet: Erfaringsindsamling i forbindelse med Justitsministeriets nationale evaluering af databeskyttelsesreglerne", April 2021

Find out more about the different legal bases basis for processing personal data in research on the website. You’ll also find more information about the special conditions that determine whether consent can serve as a legal basis for the processing of personal data.

If you choose to process personal data on the legal basis of valid consent to data processing, you are responsible for ensuring that valid and documented consent is obtained pursuant to data protection law.  

AU has two templates for obtaining valid consent pursuant to data protection law. These consist of a consent form and an information form. By filling out both forms, you will have met your obligation to obtain valid consent pursuant to data protection law as well as your information duty.  

Before processing personal data, you must determine whether Aarhus University is an independent data controller or a joint controller together with an external party. 

You can find a guide to fill out the consent form and information duty in the template.

Frameworks for valid consent to data processing

Scope

Personal data may be processed for the specific purposes to which the data subjects have given their valid consent to data processing.  



Documentation requirements

Consent must be documented. Therefore, you should obtain written consent. You can use the AU consent form.  

You also have to document that the data subjects have received the information required for the consent to be valid as well as the information required to meet the information duty. You can use the AU form to meet the information duty. 


Participants' (data subjects') rights

As a general rule, data subjects can exercise all of their rights under the General Data Protection Regulation. If data subjects want to exercise their rights, you have to make an individual assessment based on the specific circumstances. 

Data subjects are also entitled to withdraw their consent. This means that you must stop processing their personal data. 


Disclosure of data within the EU/EEA (note: does not include making available to data processor)

You may only disclose personal data if you have the data subjects' consent to do so.  


Disclosure of data outside the EU/EEA (note: does not include making available to data processor)

You may only disclose personal data to a recipient outside the EU/EEA if you have the data subjects' consent to do so. Note that there are special requirements for the information to be provided to the data subjects about the transfer.   


Disclosure of biological material (note: does not include making available to data processor)

You may only disclose personal data in the form of biological material if you have a the data subjects consent.


Publicising personal data

You may only disclose personal data with a view to publishing if you have the data subjects' consent to do so.   


How to refer to your legal basis

  • Processing of ordinary personal data: Article 6(1)(a) of the General Data Protection Regulation. 
  • Processing of sensitive personal data: Article 9(2)(a) and Article 6(1)(a) of the General Data Protection Regulation. 

Conditions for valid consent to data processing

Here you can find the conditions for a valid consent to data processing. A valid consent must be given freely, be specific, be informed, be an unambiguous indication of the data subject's wishes, be withdrawable and communicated in clear and easy-to-understand language in an easily accessible form. 


Given frely

Given freely means that the data subjects (the persons whose personal data will be processed) may not be and cannot be affected negatively if they choose to say no to having their data processed.

You should therefore consider:

  • the circumstances under which consent is given
  • whether the persons whose consent you want belong to a particularly vulnerable group of people
  • whether there is a clear imbalance in the relationship between AU and the persons who are to give their consent

For consent to be given freely, the persons who give their consent must have the option of saying 'yes ' or 'no' to different processing purposes.


Example:

A data subject may want to give consent to the use of their personal data in your research project, but not want you to use the data for teaching purposes or for publication.


Specific

For a consent to be specific it must be specific about the processing purpose(s) for which consent is given.

You must therefore specify for which purposes you intend to process the personal data of your data subjects. As a minimum, the purpose should be sufficiently specific to make it clear to the data subjects that your research (and thus processing of their personal data) will be in a specifically recognised scientific field.


Informed

Informed means that the data subjects should have information about who will process their personal data and how the data will be processed.

The data subject's consent must be given on an informed basis.

See what information the data subject should be provided with in the consent form and the associated appendices for meeting the information duty.


Unambiguous indication of the data subject’s wishes

Unambiguous indication of the data subject’s wishes means that data subjects must actively consent to the processing of their personal data. In other words, no data subject can commit to anything by being passive.

The research coordinator must be able to document that consent has been given.

This can be done in several ways. For example, you can use the AU consent form. If you use the AU consent form, the data subjects have to tick off the processing purposes that they give consent to and then sign the form.

If you collect consents digitally, you can use a form on the AU website with checkboxes that then document the data subjects' choices in TYPO3. See GDPR guidelines for web editors.  You can also use a two-factor authentication system. In this case, you can, for example, obtain consent via a checkbox solution on the website and then send a confirmation email to the participant with a link they can use to confirm their consent. 


Withdrawable

For a consent to be withdrawable, the consent must be just as easy to withdraw as it was to give.

Remember to include information in the consent form on how data subjects can withdraw their consent. For example, this could be by calling, sending an email or logging into their profile and unchecking the relevant boxes.

If consent is withdrawn, processing of personal data must stop. Any processing performed up to the point of withdrawal is lawful.


Communicated in clear and easy-to-understand language in an easily accessible form

The wording of a consent must take account of the data subjects who are to give the consent. The language of the consent must therefore be plain (in layman's terms).

The design of the consent is subject to special requirements if the data subjects are children. For example, you may have to use a different style of language for the consent than if the participants were adults. However, this will always depend on a specific assessment. To ensure that your style is easy to understand, you should:

  • be aware of the length of the text
  • avoid text in small print
  • make sure the data subjects have all the information in a single document if the document is a physical document, or, if you obtain the consent digitally, provide a link to a privacy policy that clearly communicates the information that the data subjects need
  • consider designing the consent in headings

See the AU consent form. Note that you may have to make adjustments to the form, depending on the data subjects you want for your research project. 


Regarding informed consent in connection with the transfer of personal data to third countries

A legal basis for data transfer is necessary whenever personal data (making available or disclosure) is shared. The informed consent of the data subject may constitute a legal basis for data transfer under certain conditions.

In addition to complying with the standard conditions for valid consent to data processing, the informed consent must be:

  • Explicit, which means that there may be no room for doubt as to whether consent is given. This means that the informed consent must be in written form. It is also an advantage to have the informed consent granted through a multi-step consent validation process, the first step of which is sending your informed consent declaration form to the data subject. If the data subject accepts, you must then send the data subject a receipt and request that they confirm their informed consent to the data transfer.
  • Specific, which means that the informed consent must be specific to the specific data transfer or series of transfers of personal data. This means that it is not sufficient that the data subject has consented to participate in the research project.
  • Informed, which means that the informed consent document must contain information about the possible risks connected with the transfer of personal data to a land which does not provide adequate protection of or offer adequate guarantees of the protection of personal data. For example, this could be information about the lack of a supervisory authority and information that the rights of data subjects may not be sufficiently protected in the third country.

Example

☐ I consent to the sharing of my personal data with [insert receiver/research institution] in [insert country or international organisation], which is outside the EU/EEA, even though the rules of the General Data Protection Regulation do not apply to the processing of personal data by the relevant foreign research institution. I have been informed that the level of protection of personal data does not correspond to the level guaranteed in the European Union, including that the transferred personal data during or after the transfer may be processed by the authorities in the third country in question in the interests of public safety, defence and state security. I have also been informed that the third land may not have an independent supervisory authority with responsibility for guaranteeing and enforcing data protection rules, including adequate enforcement powers to assist and advise data subjects in the exercise of their rights, just as there may not be access to an effective judicial remedy to address infringement of the rights of the data subject.

With regard to children and valid consent to data processing

The data protection rules include special protection for data concerning children, particularly with regard to information society services, e.g. social networks. Consent must be obtained from the holders of parental authority over the child, and this consent must be documented. Furthermore, all information addressed at children must be written in a clear and straightforward manner that children can understand.