Lars Galow (Management, Information Security Officer)

Christoph Wilken (Consultant)

Thorsten Kamp (Officer, Deputy Information Security Officer)

Visitor address

Ecological Centre ÖCO, 3rd floor Uhlhornsweg 99a 26129 Oldenburg

Postal address

Carl von Ossietzky Universität Oldenburg 
Stabsstelle Datenschutz- und Informationssicherheitsmanagement
Ammerländer Heerstr. 114-118
26129 Oldenburg

Legal Basis

The most important legal bases for university sector

In order to process personal data lawfully, a legal basis is required.

The two most important legal bases are consent and the performance of public duties.

Overview of the relevant legal bases

  • Consent - Art. 6 para. 1 lit. a GDPR
  • Consent - Art. 9 para. 2 lit. a GDPR
  • Fulfilment of a legal obligation - Art. 6 para. 1 lit. c GDPR
  • Performance of public duties - Art. 6 para. 1 lit. e GDPR (see below)

For the processing of general personal data, the legal basis is consent pursuant to Art. 6 (1) lit. a GDPR.

According to this provision, the data subject must have given consent to the processing of personal data relating to him or her for one or more specific purposes in order for consent to be taken as the legal basis.

Particularities of special categories of personal data

If special categories of personal data are also processed, Art. 9(2)(a) of the GDPR may be used as a legal basis. In this case, the consent must be expressly declared. This means that tacit, implied consent is no longer sufficient. Furthermore, the exact data to be processed and the purpose for which it is to be used should be specified. It is strongly advisable to provide a written declaration of consent for signature or, in the case of electronic consent, to record it.

If the legal basis is the consent of the data subject, he or she has the right of revocation at any time. Right of revocation of which they must be must be informed.

The term "consent" is defined in more detail in Art. 4 No. 11 as

  • an expression of will given voluntarily by the person for the specific case, in an informed manner and unambiguously
  • in the form of a declaration or other unambiguous affirmative act,
  • by which the data subject indicates his or her agreement to the processing of personal data relating to him or her.

Specific purpose

Because consent must relate to one or more specific purposes, these must also be clearly and transparently stated in the Statement of Consent (or, where applicable, in the privacy statement if referenced accordingly). The prior definition of the purpose is intended to prevent the data subject's consent from being subsequently extended.

  • Since the processing of personal purposes in the field of scientific research cannot always be fully specified, data subjects are allowed to indicate consent for certain areas of scientific research if this is done in compliance with the recognised ethical standards of scientific research. Therefore, in this field, data subjects must be given the opportunity to give their consent only for specific areas of research or parts of research projects to the extent permitted by the purpose pursued. (Recital 33 to the GDPR)


Consent must be voluntary, which will usually be the case. Particular care is needed in cases where consent to the processing of personal data is to be part of a contract for the performance of a contract. In such cases, it may be difficult to speak of voluntariness if the data subject has a contractual obligation to do so. Due to further doubts about the legality of this type of agreement, it is not advisable to conclude such contracts at this point.

Voluntariness exists when the data subject has a genuine or free choice and is thus able to refuse or withdraw consent without suffering any disadvantages (recital 42 to the GDPR).

It should regularly not exist if there is a clear imbalance between the data subject and the controller, especially if the controller is a public authority and it is unlikely, given all the circumstances in the specific case, that consent was given voluntarily. This means that as a rule, if the controller acts in a sovereign manner, the implied consent of the data subject cannot be used as a valid legal basis, so that another legal basis (such as Art. 6(1)(c) GDPR or Art. 6(1)(e) GDPR) must be found.

  • For this reason, it is recommended on this side to explicitly and clearly state in any participant information as well as in the declaration of consent (or data protection declaration) that the declared consent is voluntary.

Declaration or other unambiguous affirmative act

In principle, consent must be externally recognisable in some form. This is of course the case if the data subject declares consent in writing or orally. There is no formal requirement for declarations of consent, but to be on the safe side, a signature of the data subject should be obtained if possible.

It is also sufficient to meet the requirements for an "other unambiguous confirming action" if a box is clicked when visiting a website (so-called opt-out procedures, in which the box is pre-ticked when the page is called up, are not permissible), as long as it is thereby understandable that the data subject thereby consents to the data processing.

If the electronic method is chosen and the data subject is requested to give consent, it should be noted that this request should be made in as clear and concise a form as possible and without unnecessary interruption of the service .


Consent must be sufficiently specific. The data subject must know which personal data relating to him or her will be processed, for what purpose, by whom and, if applicable, to whom it will still be disclosed. Therefore, the declaration of consent (or privacy policy) should always state that data will or will not be passed on to third parties or third countries.

Informed consent

The data subject must be given all the necessary information to enable him or her to decide whether to give consent. It should be assumed that the data subject can understand the content and scope of the declaration on the basis of the information. Therefore, the information should be provided in as clear, transparent, understandable and orderly a manner as possible. The font should be easy to read, the content should be coherent and the text passages should build on each other.

Performing a task that is in the public interest

The GDPR provides a legal basis for the processing of personal data in Art. 6 (1) (e) if this is necessary to perform a task in the public interest. According to Art. 6 (3) GDPR, the legal basis is determined by the "law of the Member States to which the controller is subject", i.e. federal and state laws.

The Lower Saxony Data Protection Act (LSDPA) supplements Art. 6 para. 1 lit. e in § 3 LSDPA. According to this, the processing of personal data is permissible insofar as it is necessary for the fulfilment of a task that lies within the competence of the person responsible.

Which tasks of public interest are now within the competence of the members and staff of the University of Oldenburg for fulfilment is stated in particular in the Lower Saxony Higher Education Act (NHG).

Therefore, if processing is to be based on the legal basis of Art. 6(1)(e) GDPR, Section 3 LSDPA and the respective special provision from the NHG or another law must also be cited in the data protection or consent declaration. This is the only way to provide the data subject with sufficient and specific information.

Thus, Section 13 LSDPA, which is applicable via Art. 6 para. 1 lit. e / Art. 9 para. 2 lit. j GDPR i.V.m. § Section 3 LSDPA, provides for data processing for a specific scientific or historical research project. If special categories of personal data are collected, the path must go via Art. 9 DSGVO. The chain of norms would then be either:

  • Art. 6 para. 1 lit. e GDPR in conjunction with. §§ 3 p. 1 no. 1, 13 LSDPA or
  • Art. 9 para. 2 lit. j GDPR in conjunction with. §§ 3 p. 1 no. 1, 13 LSDPA

A legal basis for processing personal data is also required if the data is pseudonymised. Only in the case of anonymised data (can also be achieved, for example, through sufficient aggregation ) do the strict provisions of the GDPR no longer apply.

Internetkoordinator (Changed: 29 May 2024)  | 
Zum Seitananfang scrollen Scroll to the top of the page