Consent requests must be separate from other contract terms and conditions and/or from other information notices.
Consent should not be a pre-condition of signing up for a service unless the consent is necessary in order to deliver the service itself.Close
Consent must be an active choice for the individual giving consent. Silence, pre-ticked boxes or inactivity should not be viewed to constitute consent.
Un-ticked opt-in boxes or other similar active opt-in methods should be used.Close
You must allow individuals to consent to specific (or granular) types of data processing. A generic catch-all consent is not sufficient.Close
You must name your organisation and any third parties who will be relying on the individual's consent.Close
You must keep records to demonstrate an individual's consent including, what they were told and when and how they consented.Close
You must tell people that they have the right to withdraw their consent at any time and how they can do this. It must be as easy to withdraw consent as it is to give it. This means you will need to have simple and effective withdrawal mechanisms in place.Close
Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
Consent is not freely given if there is an imbalance in the relationship between the individual and the data controller.
Consent cannot be a pre-requisite for a service.
This is particularly relevant in the case of health research where a patient may feel obligated to give consent to a doctor on whom they are reliant for their healthcare.Close
GDPR Article 7 and Recital 43
This guidance has been prepared by the HRB to help researchers in the health domain comply with GDPR requirements.
It is intended to be general guidance for educational and informational purposes only.
It is not legal advice.