Valid consent to data processing

This page was updated in August 2023. Please note that we regularly update these pages.


Do you consider basing your processing of personal data on the legal basis for scientific research purposes? Here you can read more about:

  • The differences between consents
  • The framework and conditions for a valid consent to data processing
  • How to collect a valid consent to data processing

There are different kinds of consent

As a researcher you will often come across situations in which you are under a legal obligation to obtain consent for participation from coming participants (data subjects) in your research project, or in which it is simply good practice or ethical to do so. 

It is important that you are aware that these consent requirements do not necessarily entail that you should employ such consent as the legal basis for processing the subjects’ data. In fact, quite often it will be more appropriate to employ a legal basis other than consent as the legal basis for processing personal data for your research. 

In the words of the Danish Data Protection Agency:

“Especially in connection with research, it is important not to confuse consent to process personal data with a consent requirement that follows from other relevant legislation. While you might be obligated to obtain ‘consent’ pursuant to other legislation, this does not necessarily mean that consent has been granted as defined by data protection legislation. The requirement to obtain ‘consent’ of this kind will often constitute an important procedural rule in other legislation, but this does not necessarily mean that such consent can serve as the legal basis for the processing of personal data.”

Source: The Danish Data Protection Agency report "Bidrag fra Datatilsynet: Erfaringsindsamling i forbindelse med Justitsministeriets nationale evaluering af databeskyttelsesreglerne", April 2021


When is a consent a valid consent to data processing?

When assessing whether you are able to/will base the processing of personal data on a consent, you must first consult the framework for a valid consent to data processing. Once you have checked whether you can and will process personal data within the framework, you must ensure that it can also be done in accordance with the terms and conditions that apply to the valid consent to data processing.

Framework for a valid consent to data processing

Scope

Personal data may be processed for the specific purposes to which the data subjects have given their valid consent to data processing.



Documentation requirements

Valid consent to data processing must be documented. Therefore, you should obtain written consent. You can use the AU consent form. 

You also have to document that the data subjects have received the information required for the consent to be valid as well as the information required to meet the information duty. 


Data subjects’ rights

If your legal basis for processing personal data is a valid consent for data processing, many of your data subjects' rights can be derogated from. They can be derogated from because there are special exemptions for research and because there are special rules that protect the data subjects.  

Remember that data subjects are entitled to withdraw their valid consent to data processing. This means that you must stop processing their personal data.


Disclosure of personal data

You may only disclose personal data if you have the data subjects' valid consent to data processing to do so.

If you are disclosing personal data to a recipient outside the EU/EAA or an international organisation, there are special requirements regarding the information to be provided to the data subjects about the transfer and regarding a legal basis for the transfer.


How to refer to the legal basis

  • Processing of general personal data: Article 6(1)(a) of the General Data Protection Regulation.
  • Processing of sensitive personal data: Article 9(2)(a) and article 6(1)(a) of the General Data Protection Regulation.

Conditions for a valid consent to data processing

Here you can find the conditions for a valid consent to data processing. The consent must be freely given, specific, informed, an unambiguous indication of the data subject’s wishes and written in a clear and plain language in an easily accessible form. 

Freely given

Given freely means that the data subjects (the persons whose personal data will be processed) may not be and cannot be affected negatively if they choose to say no to having their data processed.

You should therefore consider:

  • the circumstances under which consent is given.
  • whether the persons whose consent you want belong to a particularly vulnerable group of people.
  • whether there is a clear imbalance in the relationship between AU and the persons who are to give their consent.

For consent to be given freely, the persons who give their consent must have the option of saying 'yes ' or 'no' to different processing purposes.

Example:

The data subject wishes to consent to the processing of personal data in relation to research but not to educational purposes or publication.

Specific

For a consent to be specific it must be specific about the processing purpose(s) for which consent is given.

You must therefore specify for which purposes you intend to process the personal data of your data subjects. As a minimum, the purpose should be sufficiently specific to make it clear to the data subjects that your research (and thus processing of their personal data) will be in a specifically recognised scientific field.

Informed

Informed means that the data subjects should have information about who will process their personal data, why and how the data will be processed.

The data subject's consent must be given on an informed basis.

See what information the data subject should be provided with in the consent form INDSÆT LINK and the template regarding information duty. INDSÆT LINK

An unambiguous indication of the data subject’s wishes

Unambiguous indication of the data subject’s wishes means that data subjects must actively consent to the processing of their personal data. In other words, no data subject can commit to anything by being passive.

The research coordinator must be able to document that consent has been given.

This can be done in several ways. For example, you can use the AU consent form. TJEK DETTE LINK. If you use the AU consent form, the data subjects have to tick off the processing purposes that they give consent to and then sign the form.

If you collect consents digitally, you can e.g., use a form on the AU website with checkboxes that then document the data subjects' choices in TYPO3. You can also use a two-factor authentication system. In this case, you can, for example, obtain consent via a checkbox solution on the website and then send a confirmation email to the participant with a link they can use to confirm their consent.

Withdrawable

For a consent to be withdrawable, the consent must be just as easy to withdraw as it was to give.

Remember to include information in the consent form and the information form on how data subjects can withdraw their consent. For example, this could be by calling, sending an email or logging into their profile and unchecking the relevant boxes.

If consent is withdrawn, processing of personal data must stop. Any processing performed up to the point of withdrawal is lawful.

Communicated in clear and plain language in an easily accessible form

The wording of a consent must take account of the data subjects who are to give the consent. The language of the consent must therefore be plain, so it is easy for the data subjects to understand what they are giving their consent to.

The design of the consent is subject to special requirements if the data subjects are children. For example, you may have to use a different style of language for the consent than if the participants were adults. However, this will always depend on a specific assessment. To ensure that your style is easy to understand, you should:

  • be aware of the length of the text.
  • avoid text in small print.
  • make sure the data subjects have all the information in a single document if the document is a physical document, or, if you obtain the consent digitally, provide a link to a privacy policy that clearly communicates the information that the data subjects need.
  • consider designing the consent in headings.

See the AU consent form TJEK DETTE LINK. Note that you may have to adjust the form, depending on the data subjects you want for your research project.


How to collect a valid consent to data processing

If you base your processing of personal data on a consent, you must be aware that it is your responsibility to ensure that the consent collected is valid and documented.

AU has two templates for collecting valid consents for data processing. Before using the templates, you must determine whether AU is a (sole) data controller or a joint data controller.

Remember that you must also comply with your information duty. The consent for processing personal data is not valid unless you have collected the consent and given the information according to your information duty.

Templates for consent form and information duty (valid consent for data processing)

Here you will find templates that can be used if you process personal data for research purposes and possibly other purposes based on a valid consent to data processing


Special situations regarding consent as a legal basis for transferring personal data or consent from children

If you base your processing on a valid consent to data processing, you should be particularly aware if:

  • You use the consent as a legal basis for transferring personal data to third countries (outside the EU/EAA) or to international organisations.
  • You collect consent from children.

Consent as a legal basis for transfer

A legal basis for data transfer is necessary whenever personal data (making available or disclosure) is shared. The consent of the data subject may constitute a legal basis for data transfer under certain conditions.

In addition to complying with thestandard conditions for valid consent to data processing, the consent must be:

  • Explicit, which means that there may be no room for doubt as to whether consent is given. This means that the informed consent must be in written form. It is also an advantage to have the informed consent granted through a multi-step consent validation process, the first step of which is sending your informed consent declaration form to the data subject. If the data subject accepts, you must then send the data subject a receipt and request that they confirm their informed consent to the data transfer.
  • Specific, which means that the informed consent must be specific to the specific data transfer or series of transfers of personal data. This means that it is not sufficient that the data subject has consented to participate in the research project.
  • Informed, which means that the informed consent document must contain information about the possible risks connected with the transfer of personal data to a land which does not provide adequate protection of or offer adequate guarantees of the protection of personal data. For example, this could be information about the lack of a supervisory authority and information that the rights of data subjects may not be sufficiently protected in the third country.

Example

☐ I consent to the sharing of my personal data with [insert receiver/research institution] in [insert country or international organisation], which is outside the EU/EEA, even though the rules of the General Data Protection Regulation do not apply to the processing of personal data by the relevant foreign research institution. I have been informed that the level of protection of personal data does not correspond to the level guaranteed in the European Union, including that the transferred personal data during or after the transfer may be processed by the authorities in the third country in question in the interests of public safety, defence and state security. I have also been informed that the third land may not have an independent supervisory authority with responsibility for guaranteeing and enforcing data protection rules, including adequate enforcement powers to assist and advise data subjects in the exercise of their rights, just as there may not be access to an effective judicial remedy to address infringement of the rights of the data subject.

Consent from children

The data protection rules include special protection for data concerning children, particularly regarding information society services, e.g., social networks. Consent must be obtained from the holders of parental authority over the child, and this consent must be documented. Furthermore, all information addressed at children must be written in a clear and straightforward manner that children can understand.