When do I need to ask for consent?
In most cases you do not need to ask for consent, as personal data processing at the University is often supported by another legal basis. Nevertheless, there are instances when you do need to ask for consent, for example from people who are not actively involved in the University’s operations. Examples of instances when you need to ask for consent:
- recruitment of staff and students
- administration of lists or registers of external stakeholders such as donors, alumni and external recipients of newsletters
- photographing or filming of people in certain circumstances
- processing of contact details of students’ next of kin
Within research, consent is applied in the same way as before.
- Go to researchethics.lu.se and read about research and consent for processing personal data
- More information about legal bases is available on the Legal basis page
How do I approach asking for consent to process personal data?
When you ask for consent, remember that consent is always to be voluntary, informed and documented:
- Voluntary: Ensure that the person you ask for their consent is not in some way dependent on the University. This means that you should be restrictive in using consent for processing personal data relating to staff or students. There may be scope for also using consent for staff and students in cases where they can decline with no risk of personal consequences, for example if it relates to asking people to participate with quotes or in photos or film in the University’s external communications.
- Informed: You need to inform the data subject about the nature of the personal data you are collecting, the purpose for which it will be used, how it will be processed and the data subject’s rights. The information on processing and rights is so extensive that as a rule it must be provided in writing. You can refer the data subject to the general information at lunduniversity.lu.se/gdpr but you must supplement this with specific information on the processing in question.
The Information for data subjects page provides assistance on compiling information
- Documented: You must document the consent from the data subject, be able to find it easily if required and link it to the personal data to which the consent applies. However, you do not need to register the consent in official records.
What applies to children and consent?
For children up to the age of 12, you need to ask the child’s legal guardian for consent to process personal data. From the age of 13, children can give their consent. Remember to be particularly careful with the processing of minors’ data. It is best to talk to the legal guardian even though this is not required by law.
What applies to consent collected before 25 May 2018?
Past consent is valid provided that it complies with the current legislation. Consent must be documented in a way that includes the contact details of the data subject. If you have past consent in documents, emails or online forms it is important to:
- store consent in an organised way
- review to ensure it meets the criteria – voluntary, informed and documented – and that the information includes the purpose of using the information, the rights of the data subject and how consent can be withdrawn.
- separate out any consent that may have been given by people in a position of dependency, such as staff and students.
Support and tools
dataskyddsombud [at] lu [dot] se
- Personal data controller – the organisation responsible for processing your personal data. In all but a few cases, Lund University is always the personal data controller.
- Data subject – the person whose personal data you collect and/or process.
- Data protection officer – the role and function responsible for Lund University’s compliance with the GDPR.
- The EU’s General Data Protection Regulation (GDPR) - The Swedish translation of GDPR is “Dataskyddsförordningen”.
- Data Protection Act – the Swedish national complement to the EU’s GDPR.