As a researcher you will often come across situations in which you are under a legal obligation to obtain consent for participation from coming participants (data subjects) in your research project, or in which it is simply good practice or ethical to do so.
It is important that you are aware that these consent requirements do not necessarily entail that you should employ such consent as the legal basis for processing the subjects’ data. In fact, quite often it will be more appropriate to employ a legal basis other than consent as the legal basis for processing personal data for your research.
In the words of the Danish Data Protection Agency:
“Especially in connection with research, it is important not to confuse consent to process personal data with a consent requirement that follows from other relevant legislation. While you might be obligated to obtain ‘consent’ pursuant to other legislation, this does not necessarily mean that consent has been granted as defined by data protection legislation. The requirement to obtain ‘consent’ of this kind will often constitute an important procedural rule in other legislation, but this does not necessarily mean that such consent can serve as the legal basis for the processing of personal data.”
Source: The Danish Data Protection Agency report "Bidrag fra Datatilsynet: Erfaringsindsamling i forbindelse med Justitsministeriets nationale evaluering af databeskyttelsesreglerne", April 2021
When assessing whether you are able to/will base the processing of personal data on a consent, you must first consult the framework for a valid consent to data processing. Once you have checked whether you can and will process personal data within the framework, you must ensure that it can also be done in accordance with the terms and conditions that apply to the valid consent to data processing.
Valid consent to data processing must be documented. Therefore, you should obtain written consent. You can use the AU consent form.
You also have to document that the data subjects have received the information required for the consent to be valid as well as the information required to meet the information duty.
If your legal basis for processing personal data is a valid consent for data processing, many of your data subjects' rights can be derogated from. They can be derogated from because there are special exemptions for research and because there are special rules that protect the data subjects.
Remember that data subjects are entitled to withdraw their valid consent to data processing. This means that you must stop processing their personal data.
You may only disclose personal data if you have the data subjects' valid consent to data processing to do so.
If you are disclosing personal data to a recipient outside the EU/EAA or an international organisation, there are special requirements regarding the information to be provided to the data subjects about the transfer and regarding a legal basis for the transfer.
Here you can find the conditions for a valid consent to data processing. The consent must be freely given, specific, informed, an unambiguous indication of the data subject’s wishes and written in a clear and plain language in an easily accessible form.
Given freely means that the data subjects (the persons whose personal data will be processed) may not be and cannot be affected negatively if they choose to say no to having their data processed.
You should therefore consider:
For consent to be given freely, the persons who give their consent must have the option of saying 'yes ' or 'no' to different processing purposes.
Example:
The data subject wishes to consent to the processing of personal data in relation to research but not to educational purposes or publication.
For a consent to be specific it must be specific about the processing purpose(s) for which consent is given.
You must therefore specify for which purposes you intend to process the personal data of your data subjects. As a minimum, the purpose should be sufficiently specific to make it clear to the data subjects that your research (and thus processing of their personal data) will be in a specifically recognised scientific field.
Informed means that the data subjects should have information about who will process their personal data, why and how the data will be processed.
The data subject's consent must be given on an informed basis.
See what information the data subject should be provided with in the consent form INDSÆT LINK and the template regarding information duty. INDSÆT LINK
Unambiguous indication of the data subject’s wishes means that data subjects must actively consent to the processing of their personal data. In other words, no data subject can commit to anything by being passive.
The research coordinator must be able to document that consent has been given.
This can be done in several ways. For example, you can use the AU consent form. TJEK DETTE LINK. If you use the AU consent form, the data subjects have to tick off the processing purposes that they give consent to and then sign the form.
If you collect consents digitally, you can e.g., use a form on the AU website with checkboxes that then document the data subjects' choices in TYPO3. You can also use a two-factor authentication system. In this case, you can, for example, obtain consent via a checkbox solution on the website and then send a confirmation email to the participant with a link they can use to confirm their consent.
For a consent to be withdrawable, the consent must be just as easy to withdraw as it was to give.
Remember to include information in the consent form and the information form on how data subjects can withdraw their consent. For example, this could be by calling, sending an email or logging into their profile and unchecking the relevant boxes.
If consent is withdrawn, processing of personal data must stop. Any processing performed up to the point of withdrawal is lawful.
The wording of a consent must take account of the data subjects who are to give the consent. The language of the consent must therefore be plain, so it is easy for the data subjects to understand what they are giving their consent to.
The design of the consent is subject to special requirements if the data subjects are children. For example, you may have to use a different style of language for the consent than if the participants were adults. However, this will always depend on a specific assessment. To ensure that your style is easy to understand, you should:
See the AU consent form TJEK DETTE LINK. Note that you may have to adjust the form, depending on the data subjects you want for your research project.
If you base your processing of personal data on a consent, you must be aware that it is your responsibility to ensure that the consent collected is valid and documented.
AU has two templates for collecting valid consents for data processing. Before using the templates, you must determine whether AU is a (sole) data controller or a joint data controller.
Remember that you must also comply with your information duty. The consent for processing personal data is not valid unless you have collected the consent and given the information according to your information duty.
If you base your processing on a valid consent to data processing, you should be particularly aware if:
A legal basis for data transfer is necessary whenever personal data (making available or disclosure) is shared. The consent of the data subject may constitute a legal basis for data transfer under certain conditions.
In addition to complying with thestandard conditions for valid consent to data processing, the consent must be:
Example ☐ I consent to the sharing of my personal data with [insert receiver/research institution] in [insert country or international organisation], which is outside the EU/EEA, even though the rules of the General Data Protection Regulation do not apply to the processing of personal data by the relevant foreign research institution. I have been informed that the level of protection of personal data does not correspond to the level guaranteed in the European Union, including that the transferred personal data during or after the transfer may be processed by the authorities in the third country in question in the interests of public safety, defence and state security. I have also been informed that the third land may not have an independent supervisory authority with responsibility for guaranteeing and enforcing data protection rules, including adequate enforcement powers to assist and advise data subjects in the exercise of their rights, just as there may not be access to an effective judicial remedy to address infringement of the rights of the data subject. |
The data protection rules include special protection for data concerning children, particularly regarding information society services, e.g., social networks. Consent must be obtained from the holders of parental authority over the child, and this consent must be documented. Furthermore, all information addressed at children must be written in a clear and straightforward manner that children can understand.