The preparation of a GDPR-compliant data protection information and a data protection-related declaration of consent often turns out to be a challenge. As a rule, it is necessary to provide - often - comprehensive information so that so-called "informed consent" can be given. Both in administration and in research projects - especially in medical research projects - the use of good and appropriate sample texts is indispensable.

Data protection information is required by law. It must be provided for almost every data processing activity. Synonyms of data protection information are: Privacy Notice, Data Protection Notice, Article 13 Notice, Data Protection Policy (should be avoided), or simply the heading "Data Protection".

We have the following samples to offer you for the preparation of a data protection information and a data protection law consent declaration:

Please note:

The sample texts are for orientation purposes. They are to be adapted to the respective individual case. Support in finalising the sample texts is available from the Data Protection and Information Security Unit, dsm@uol.de.

• The Presidential Board of the Carl von Ossietzky University of Oldenburg or the Data Protection and Information Security Unit cannot be the sole contact for those affected. Therefore, state in the declarations who the contact person/process owner/study management is. This is usually the person who is in charge of the project or similar for which the data are to be processed, or the respective OU management.

• Specify the data categories as precisely as possible, if necessary. Make the declarations fair and transparent for the data subjects.

• State the purpose as precisely as possible. This is especially true if no separate or preceding participant information is given. This is to ensure that the data subject understands the purpose for which the data is to be collected in order to make a decision on the "whether" of the data processing of his/her own personal data based on this.

• If there is to be disclosure to (external) third parties, try to name them and also what the purpose is. A "transfer to third parties" in the sense of the GDPR only exists if this data is then still personal . If the data is already anonymised when it is intended to be passed on, you do not have to state this. Nevertheless, for reasons of fairness and transparency, it would be desirable if in this case, too, you were informed that the data will be passed on to third parties in anonymised form. anonymised form anonymous form. This is particularly important in view of the fact that, as a rule, the risk of re-identification cannot be ruled out.