Skip to ContentSkip to Navigation
Research Research Data Management Data Protection & GDPR


Consent is one of the legal grounds for processing personal data for scientific research.

If consent is the legal ground for the processing of the data, the controller shall be able to demonstrate that the participant has consented to the processing of his/her data and, that consent meets the requirement defined by GDPR.

All the information provided to the participants must be presented in a transparent and easily accessible way, using clear and understandable language.

To facilitate the communication with the participant the controller may also use a combination of methods, such as privacy statements/notices, information on the project’s web page, etc. (layered approach).

The consent must be:

  • Freely given: consent is not valid when the data subject has no real choice, feels compelled or pressured to consent or will endure negative consequences if they refuse or withdraw consent.
  • Specific: the consent must specify the purpose(s) for which the data are processed.
  • Informed: providing exhaustive information to the participants is essential to their ability to make informed decisions.
  • Unambiguous: the wishes of the participants to agree to the processing of their data means must be clear.

The minimum requirement for consent are:  

  • the identification of the data controller, joint-controllers (if the case) and, the contact details of the Data Protection Officer;  
  • the description of the purpose(s) of the data processing;  
  • the description of the subject’s rights, in particular, the right and the procedure to withdraw consent and the right to lodge a complaint with a supervisory authority;
  • information as to whether data will be shared with or transferred to third parties and for what purposes; and  
  • how long the data will be retained before they are destroyed.

UG Information sheet templates and consent form checklist

FAQ: How to obtain a digital signature for consent

More (legal) information

European Data Protection Board Guidelines 05/2020 on consent

CESSDA Data Management Expert Guide: chapter on ethics and data protection

Special categories of data

Special categories of data (formerly known as ‘sensitive data’) are data revealing information about:

  • racial or ethnic origin,
  • political opinions,
  • religious or philosophical beliefs,
  • trade union membership,
  • genetic data, biometric data for the purpose of uniquely identifying a natural person,
  • health,
  • person’s sex life or sexual orientation.

Processing of special categories of personal data is forbidden except when there is explicit consent.

Based on the GDPR in Dutch law, the processing of special categories of data is also allowed when:

  • it is necessary for the research purpose; and
  • the processing is proportionate to the aim pursued; and
  • the essence of the right to data protection are respected; and
  • the controller provides suitable and specific measures to safeguard the fundamental rights and the interests of the data subjects.

Last modified:16 September 2021 3.21 p.m.