The European Data Protection Board Releases New Guidelines on the Processing of Personal Data for Scientific Research

For almost a decade, the scientific research provisions of the General Data Protection Regulation (GDPR) have lacked authoritative, European Union (EU)-wide interpretation, leaving sponsors of clinical trials and research institutions alike to navigate a patchwork of national implementing laws. A 2019 study commissioned by the European Data Protection Board (EDPB) — the body comprising EU national data protection authorities — confirmed significant divergence among EU Member States, and interim guidance published in 2021 by the EDPB highlighted — but left unresolved — several key GDPR compliance issues facing organisations in the life sciences industry. In the years since, the COVID-19 pandemic and the United Kingdom's post-Brexit departure from the EU framework have only sharpened the need for more specific guidance. Ropes & Gray attorneys co-authored an article published in Science magazine in October 2020 that provided a summary of the complexity in this space and potential solutions.

The adoption of Guidelines 1/2026 by the EDPB on 15 April 2026 represents the most meaningful step to date towards regulatory clarity for the global research enterprise. The Guidelines, which are open for public consultation until 25 June 2026, address, among other things, the definition of “scientific research”, the legal bases for processing sensitive personal data (including broad consent and the public interest and legitimate interest pathways), and transparency obligations and appropriate safeguards under Article 89(1) of the GDPR. The EDPB has simultaneously announced a dedicated “sprint team” to finalise related guidelines on anonymisation by the summer. Given the GDPR’s broad extra-territorial jurisdiction, the Guidelines will have major implications for research organisations both within and outside the EU.

This Alert summarises five key takeaways from the Guidelines for organisations in the healthcare and life sciences industries, for whom the processing of health data, genetic data and other special category data is fundamental to clinical development, real-world evidence generation, and biobank curation:

1. Clarification of what constitutes “scientific research”. Six key indicative factors, assessed in light of the nature, scope, context, and purpose of the processing, help to determine whether an activity constitutes scientific research.
2. Further processing and storage limitation. Further processing for scientific research is presumed compatible with the original purpose, and controllers may store personal data for longer periods than necessary for the primary processing purpose if the data will be processed solely for scientific research purposes.
3. Lawful bases for research processing. Helpfully for the research community, the Guidelines clarify that broad consent is permissible, while highlighting that dynamic consent models may be helpful in obtaining truly informed consent. The public interest and legitimate interest bases provide potential alternatives to consent, particularly for secondary uses of data.
4. Transparency and data subjects’ rights. Controllers must ensure transparency throughout the entire processing period, including providing one or more GDPR-compliant privacy notices to data subjects. There are circumstances in which limitations on data subject rights — including the rights to erasure and objection — may be applied in scientific research.
5. Appropriate safeguards under Article 89(1). Controllers must adopt technical and organisational safeguards, following a data minimisation hierarchy that prioritises the use of anonymised data, followed by pseudonymised data, before directly identifiable data may be processed.

1. Clarification of What Constitutes “Scientific Research”

A threshold question for any organisation seeking to rely on the GDPR’s research-specific provisions is whether its activities qualify as “scientific research”. The GDPR provides that the concept should be interpreted broadly, but the EDPB in its Guidelines cautions that it “may not be stretched beyond its common meaning.”

The Guidelines set out six key indicative factors that should be assessed in light of the nature, scope, context, and purpose of the processing to determine whether a given activity constitutes “scientific research”:

1. Methodical and systematic approach: does the research follow a comprehensive plan, hypothesis, or stated objective?
2. Adherence to ethical standards: is the research conducted in line with ethical standards in the relevant field?
3. Verifiability and transparency: are the results verifiable and open to peer review and criticism?
4. Autonomy and independence: do researchers operate free from undue external pressures and possess relevant academic or scientific qualifications?
5. Objectives of the research: does the research aim to contribute to society’s general knowledge and wellbeing?
6. Potential to contribute to existing scientific knowledge: does the research have the potential to advance scientific knowledge or apply existing knowledge in new ways?

Where all six factors are present, the activity is presumed to constitute scientific research within the meaning of the GDPR. Where not all factors are met, the controller must justify — and be able to demonstrate — why the activity should nonetheless qualify. The more key indicative factors that are present, the more likely it is that the activity constitutes scientific research.

Pages 10-12 of the Guidelines provide three illustrative scenarios that demonstrate how the six-factor framework applies in practice. The first of these examples confirms that a profit motive does not disqualify an activity from being scientific research — a clinical trial conducted by academically qualified researchers under good clinical practice, subject to ethical review and intended to generate publishable findings, can be deemed to be conducted for scientific research purposes under the GDPR even when sponsored by a for-profit pharmaceutical company. The second example concerns a for-profit AI start-up that partners with a university faculty to conduct research on bias in generative AI models, applies for external funding subject to conditions requiring established scientific methods and ethical review, and publishes its findings in a peer-reviewed paper. Because those concrete measures mean that all six factors are satisfied, the start-up’s commercially motivated R&D qualifies as scientific research under the GDPR. Conversely, the Guidelines’ third illustrative example confirms that internal marketing analytics conducted by marketing staff rather than independent researchers, with results neither shared nor subject to peer review, and directed solely at furthering a company’s commercial interests, do not qualify as scientific research.

Taken together, the Guidelines’ illustrative examples suggest that the characterisation of any given activity as scientific research turns on how it is conducted, not merely on how it is labelled. This is reinforced by Recital 159 of the GDPR, which provides that the concept of scientific research should be interpreted broadly to include “technological development and demonstration, fundamental research, applied research and privately funded research”.

Accordingly, an activity branded as R&D or product development — including in the AI space — can satisfy the six-factor framework and benefit from the GDPR’s research-specific provisions. However, AI-enabled research is likely to require a data protection impact assessment (DPIA) under Article 35 of the GDPR, particularly where special category data are processed at scale or novel technologies are deployed.

2. Further Processing and Storage Limitation

Under Article 5(1)(b) of the GDPR, personal data must be collected for specified, explicit, and legitimate purposes and must not be further processed in a manner incompatible with those purposes. Accordingly, it is generally the case that where a controller intends to use personal data for a new purpose, it must first assess whether that new purpose is compatible with the original purpose by applying the compatibility test set out under Article 6(4) of the GDPR.

Article 5(1)(b) of the GDPR states that further processing for scientific or historical research purposes shall not be considered incompatible with the initial purposes of processing. The Guidelines build on and clarify this concept by providing that further processing of personal data for scientific research purposes is presumed to be compatible with the original purpose, meaning that controllers are not required to perform the Article 6(4) GDPR compatibility test. In many cases, controllers may rely on the same legal basis that applied to the initial processing, particularly where appropriate Article 89(1) GDPR safeguards have been adopted. However, controllers must still verify that the original legal basis remains suitable for the further processing. If not, they must identify and establish a different legal basis.

On storage limitation, the Guidelines confirm that controllers may retain personal data beyond the point at which the original processing purpose has been fulfilled where the data will be processed solely for scientific research purposes, subject to appropriate Article 89(1) GDPR safeguards. However, storage for generic, unspecified “scientific research purposes” is not justified. Controllers must specify at least a defined area of research, regularly review the necessity of continued storage (including whether data should be anonymised or pseudonymised) and ensure that the future research activities are reasonably foreseeable in relation to the relevant scientific field.

For sponsors and data custodians, this provides a firmer legal footing for maintaining curated research datasets beyond primary study endpoints, but retention must be supported by ongoing governance, documented necessity assessments and appropriate safeguards.

3. Lawful Bases for Research Processing

Controllers must select an appropriate lawful basis under Article 6 of the GDPR for processing of non-sensitive personal data and, where special category data (such as health or genetic data) are involved, also identify an applicable exception to the prohibition on processing such data under Article 9 of the GDPR. The Guidelines address the principal lawful bases relevant to research as follows:

• Consent. The permissibility of broad consent has long been a source of debate under the GDPR and generated significant confusion amongst the research enterprise. Fortunately, the Guidelines state clearly that the GDPR permits broad consent for the processing of personal data within a defined area of scientific research where the purposes are not fully known at the time of collection. To rely on broad consent, controllers must process data in accordance with ethical standards and adopt additional safeguards to compensate for the lack of full purpose specification. Critically, the Guidelines make clear that the key test for whether processing under broad consent is permissible is whether the data subject would reasonably expect their data to be used for that type of research. This “reasonable expectations” standard parallels the authorisation framework under the HIPAA Privacy Rule in the US, creating a useful point of convergence for organisations designing dual-track consent architectures for global research programmes.

  Controllers may also use dynamic consent, obtaining agreement for individual research projects (or parts thereof) as purposes crystallise. A combination of both approaches is permissible, and the two consents may be sought at the same time and presented together — for example, in a single folder or information pack given to research participants — provided that the GDPR consent elements are clearly identifiable and meet the distinct requirements for valid consent under the GDPR.

  Notably, the Guidelines represent a significant departure from the EDPB’s earlier suggestion that consent could rarely serve as a valid legal basis for processing in clinical trials due to the inherent power imbalance between investigators and subjects. The Guidelines now clarify that a patient’s status as a healthcare recipient does not, in itself, preclude freely given consent; a power imbalance affecting the validity of consent arises only where the data subject’s capacity is severely affected by a mental or physical medical condition. This recalibration aligns EDPB guidance more closely with US standards and may encourage more research sponsors to rely on consent as a basis for processing. The Guidelines also emphasise that GDPR consent must be distinguished from consent to participate in research required by ethical or sectoral law: informed consent under the Clinical Trials Regulation does not automatically satisfy GDPR requirements, and vice versa.

• Public interest. Reliance on performance of a task carried out in the public interest under Article 6(1)(e) of the GDPR is not limited to public entities. Private companies may invoke this basis where EU or Member State law authorises their research activities. This is a potentially significant pathway for commercially sponsored research conducted pursuant to national research acts or the upcoming European Health Data Space (EHDS).
• Legitimate interest. Scientific research — whether for profit or not — can constitute a legitimate interest under Article 6(1)(f) of the GDPR. Controllers processing non-sensitive personal data for scientific research purposes can often attribute significant weight to the research interest in the balancing test, particularly where robust Article 89(1) GDPR safeguards have been adopted.
• Special categories of data. Where special category data (such as health or genetic data) are processed for scientific research, controllers must also identify an applicable Article 9(2) GDPR exception to the prohibition on processing such data. The Guidelines recognise three principal routes: (i) explicit consent (broad or dynamic), (ii) exceptions provided for by EU or Member State law, including, for example, the EHDS once its secondary use provisions become applicable, and (iii) data manifestly made public by the data subject.

The Guidelines’ treatment of national implementing legislation under Article 9(2)(j) of the GDPR (i.e. processing is necessary for archiving purposes in the public interest, scientific or historical research purposes) highlights a critical area of divergence. The EDPB surveyed implementing legislation across a number of EU and European Economic Area (EEA) states, each of which has varying safeguard requirements. Helpfully, the Guidelines collect in their footnotes examples of Member State laws that provide a basis for processing special category data for scientific research purposes — a useful reference for organisations mapping across jurisdictions. For example, the implementing legislation in Bulgaria and Latvia does not specify safeguards, whereas Italy and France require prior authorisation from the data protection authority for certain secondary uses of sensitive data.

For multinational research programmes, controllers must map the applicable national derogations in each jurisdiction where special category data are processed — a compliance exercise that, while now better informed by the Guidelines, remains both jurisdiction-specific and time-consuming. Indeed, the complexity and fragmentation of the Article 9(2)(j) landscape may in practice encourage more controllers to rely on consent as their preferred lawful basis for processing special category data for scientific research — particularly in light of the Guidelines’ more permissive approach to consent in clinical trials (as discussed above) — in order to avoid the operational burden of conducting a jurisdiction-by-jurisdiction mapping exercise. At the same time, the public interest and legitimate interest pathways remain meaningful alternatives, particularly for secondary use programmes, real-world evidence studies and research authorised under national research acts or the EHDS.

4. Transparency and Data Subjects’ Rights

The EDPB sets a high bar for transparency throughout the entire processing period, particularly for long-running research projects. Controllers must inform data subjects at the time of collection and provide updates when there are material changes to the processing, including changes to research objectives, the lawful basis (or bases) for processing, the engagement of new research partners (particularly those outside the EEA), or extensions to the retention period. However, the Guidelines acknowledge that controllers relying on broad consent may describe the intended research purposes at a more general level at the outset — for example, by reference to a defined field of research such as oncology or medical genetics — provided that controllers keep data subjects informed as research activities evolve. The obligation to provide notice applies even where the controller does not have direct access to the personal data or contact with data subjects, for example, where processing is carried out by a processor on the controller’s behalf. Practical measures recommended by the Guidelines include privacy dashboards, layered online portals and coordinated contact points.

Data subjects retain their GDPR rights, but certain limitations apply in the research context. For example, the right to erasure under Article 17 of the GDPR is subject to an exception, under Article 17(3)(d), where erasure would be “likely to render impossible or seriously impair” the research objectives and the controller has adopted appropriate safeguards. The Guidelines illustrate this with a practical example: a private research institute is conducting scientific research on the historical development of open-source software by examining a Merkle tree (a cryptographic data structure) that displays the development history, including the names of developers at each point in time. A software developer requests deletion of an entry citing him as co-author because he has changed his first name and considers that retention of his old name violates his right to private life. The research institute rejects the request under Article 17(3)(d) of the GDPR because the research needs to reflect the historical facts of the software’s development, including which individual developers were involved at each stage, and erasure would therefore be likely to seriously impair the achievement of the research objectives. This example underscores that the scientific research exception requires a fact-specific assessment and will not justify blanket refusals of erasure requests.

Similarly, the right to object under Article 21 of the GDPR is addressed by Article 21(6), which specifies that, in the context of scientific research, a controller may reject a data subject’s objection where the processing is necessary for the performance of a task carried out for reasons of public interest. Importantly, the Guidelines clarify that this provision is not limited to public entities: a private controller whose legitimate research interest coincides with a public interest may also rely on it. Upon the receipt of such requests, controllers must assess and document on a case-by-case basis why each exception or limitation is justified.

5. Appropriate Safeguards Under Article 89(1)

Article 89(1) safeguards are the linchpin of the GDPR’s research framework: the presumption of purpose compatibility, extended storage and limitations on data subject rights all depend on their adoption. The Guidelines provide that controllers should start with a risk analysis — and, where required, a DPIA — that considers not only privacy risks but broader fundamental rights impacts, including discrimination, stigmatisation and loss of confidentiality. This is particularly relevant in the field of medical research, where the processing of personal data may directly or indirectly impact the provision of healthcare to data subjects.

On data minimisation, the Guidelines follow a clear hierarchy: anonymised data should be used where research purposes can be fulfilled without personal data; where anonymisation is not feasible, data should be pseudonymised using state-of-the-art methods; and directly identifiable data should only be processed where strictly necessary and proportionate to achieve the research objectives.

Beyond anonymisation and pseudonymisation, the EDPB catalogues additional safeguards including: independent or ethical oversight bodies; secure processing environments; privacy-enhancing technologies; strict purpose and access controls; confidentiality obligations for research staff; and protective measures when publishing results to prevent re-identification. For research involving genetic or biometric data, the Guidelines emphasise that additional safeguards — such as federated storage with access through secure processing environments — may be particularly important, given the specific and enduring risks posed by such data.

Controllers should map their existing measures against the EDPB’s safeguard catalogue and conduct a gap analysis. For AI-enabled research or large-scale processing of genetic data, a DPIA will almost always be required under Article 35 of the GDPR.

What Should Organisations Do Now?

The Guidelines, while still subject to public consultation, provide the most comprehensive compliance blueprint to date for research-related data processing under the GDPR. If finalised in substantially their current form, they should materially de-risk secondary use strategies, longer-term data retention and cross-institutional research collaboration — provided that controllers can evidence genuine scientific purposes and sustain Article 89(1) GDPR safeguards throughout the lifecycle of their research activities.

Organisations with UK operations should note that the UK Data (Use and Access) Act 2025 (DUAA), the principal data protection provisions of which will take effect throughout 2026, codifies the UK stance on scientific research. While the DUAA overlaps in certain respects with the Guidelines — both, for example, permit broad consent for scientific research — the UK’s statutory definition of “scientific research” differs meaningfully from the approach taken by the EDPB. The DUAA defines scientific research as “any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity” — a broad, permissive formulation that does not incorporate the six-factor indicative framework set out in the Guidelines. In addition, the DUAA relaxes the requirement for consent to be fully informed where the purposes of scientific research cannot be identified in full at the time of collection, provided that the process of seeking consent is consistent with generally recognised ethical standards — a lower threshold than the additional safeguards required by the Guidelines to compensate for the lack of purpose specification under broad consent. These differences create a UK baseline that diverges materially from the GDPR framework in important respects and will require dual-track compliance for organisations operating under both regimes.

Healthcare and life sciences organisations should consider the following practical steps:

Map research programmes to the six-factor framework. Review existing and pipeline research activities against the EDPB’s key indicative factors, documenting how protocol design, ethical oversight, and dissemination plans support the classification of each programme as scientific research within the meaning of the GDPR.

Revisit lawful basis strategies. In light of the Guidelines’ more permissive approach to consent in clinical trials (which now confines the “freely given” concern primarily to data subjects with genuinely diminished capacity), organisations should evaluate whether consent may be a more viable and administratively efficient lawful basis than previously assumed, particularly for research programmes involving direct interaction with participants. At the same time, the public interest and legitimate interest pathways should not be overlooked as alternatives or supplements, particularly for secondary use programmes where obtaining consent may not be practicable. When relying on Article 9(2)(j) of the GDPR, map the applicable Article 9(2)(j) derogations — and any additional national conditions — in each jurisdiction where special category data are processed.

Update consent architectures. Ensure that broad consent is limited to defined research areas, supplemented by dynamic consent for projects that fall outside the original scope and are clearly distinguished from consent to participate in research required by ethical or sectoral law (including under the Clinical Trials Regulation).

Strengthen transparency and rights processes. Implement layered information frameworks covering the full lifecycle of research activities and develop documented processes for handling erasure requests and objections in research contexts, including the criteria for invoking the Article 17(3)(d) GDPR and Article 21(6) GDPR limitations.

Rationalise role allocation and contracting. Review joint controller arrangements and processor agreements across research consortia, contract research organisation relationships, and biobank partnerships, ensuring that they reflect the EDPB’s guidance on the functional attribution of controller and processor roles.

Submit consultation feedback. The consultation closes on 25 June 2026. Organisations with sector-specific perspectives — particularly on definitional boundaries, safeguard expectations for AI-enabled research, and the interaction between the Guidelines and the EHDS and the proposed European Biotech Act — should engage directly with the EDPB during this window.