Consent of respondents will often be used as the lawful basis for carrying out research in many EU member states. The GDPR retains the concept of consent contained in the 1995 directive, but raises the bar for considering it valid, by setting out additional requirements.
Under GDPR consent shall be:
- Freely given: It must reflect the respondent’s genuine and free choice, and he/she must be able to refuse or withdraw consent without detriment. There should be no element of coercion, if the consent was not freely given, then that consent will not be valid.
- Specific: Consent must be intelligible (easy to understand) and distinguishable from other matters like terms & conditions (no bundled consent). It must relate to specific processing operations. Blanket consent that does not specify the exact purposes of the processing is not valid consent.
- Informed: Respondents must be able to understand the extent to which they are consenting and be aware at least of the identity of the controller and the purposes of the processing.
- Unambiguous: It should not be open to more than one interpretation.
- Clear affirmative action: The respondents must do something to manifestly indicate that they agree to the processing of their personal data, such as by a written statement, including electronic means, or an oral statement. An example of a clear affirmative action is the ticking of a box. Silence, pre-ticked boxes or inactivity does not constitute valid consent under GDPR.
Where data processing has multiple purposes, consent should be given for all of them, unless such purposes are considered compatible. This essentially means that the data controller (market research company or its client) can further process personal data, where the purpose of the processing is compatible with the purpose for which the personal data was initially collected.
For example, if a company that produces chocolate wants to know, through a survey, how many adults (ages 18-40) eat their chocolates, it needs to obtain consent for the processing of the respondents’ personal data and specify to the individuals the purpose for which they will be using such data, which is to know how many adults in that age range eat their chocolates. After completing the survey, the chocolate company compiled a list of the people that eat their chocolate often, this list is then used for direct marketing (they send emails and posts to the individuals about their new products). This will be considered incompatible with the purpose for which the respondents’ personal data was collected because the chocolate company never informed the respondents that they would use the information collected from the survey for profiling or direct marketing, and the respondents did not give their consent for the use of their data for this additional purpose.
If the legal basis used is consent, researchers must understand what GDPR consent means and the fact that respondents will generally have stronger rights (right to erasure, right to data portability) where consent has been given.