On 15 April 2026, the European Data Protection Board (the "EDPB") adopted draft Guidelines 1/2026 on processing of personal data for scientific research purposes (the "Guidelines"). Until now, the lack of clear EU-wide interpretation of the scientific research provisions in the General Data Protection Regulation (“GDPR”) has left research institutions and clinical trial sponsors navigating complex GDPR compliance issues and diverging approaches across EU member states. 

The Guidelines, which are open for public consultation until 25 June 2026, aim to facilitate easier GDPR compliance and provide clearer guidance for researchers in life sciences and healthcare. The EDPB addresses key issues such as consent, purpose limitation, and how to determine whether an activity qualifies as “scientific research”, providing a number of illustrative examples to support their advice. The Guidelines also clarify when organisations can re‑use and retain data for research in a compliant way, so that valuable studies can go ahead while individuals’ personal data remains protected and more consistently safeguarded across the EU. 

Concept of Scientific Research

The Guidelines set out six key factors that, when present, will indicate whether processing of personal data when conducting research activities is motivated by scientific purposes, in light of the nature, scope, context and purposes of processing:

• a methodical and systematic approach;
• adherence to ethical standards;
• verifiability and transparency;
• autonomy and independence;
• research objectives that aim to contribute to the growth of society’s general knowledge and wellbeing; and
• potential to contribute to existing scientific knowledge or apply existing knowledge in novel ways.

Where all of these factors are met, the processing is treated as scientific research within the meaning of the GDPR. If not, controllers must justify, and be able to demonstrate, why the activities should nonetheless fall within that definition. The Guidelines clarify that profit-making research can still qualify, provided it meets these criteria, whereas internal analytics carried out solely for marketing or product promotion would not.

Presumption of Compatibility

Another helpful clarification by the EDPB is that further processing for scientific research purposes is presumed compatible with the original purpose of collection, so controllers need not carry out a separate compatibility assessment, provided the processing is lawful. 

Storage Limitation

The Guidelines confirm that controllers may retain data for longer periods of time (i.e. beyond fulfilment of the original purpose for processing), where information is used solely for scientific research purposes with appropriate safeguards. If the specific purposes of future research cannot be defined at the time of storage, specifying potential research in a certain area of research can suffice, as long as:

• future scientific research activities are reasonably foreseeable in relation to the relevant scientific field of research; and
• retention for generic scientific research purposes only is not sufficiently specific.

Consent

The Guidelines take a more permissive stance on consent, permitting:

• Broad consent from data subjects to collect and process personal data in a certain area of scientific research if the specific purposes of research are not fully known at the time of collection. Precise purposes can be clearly determined later, provided ethical standards and safeguards are maintained.
• Ongoing consent mechanisms that allow participants to confirm or adjust their choices as projects evolve.

This allows organisations to rely on broad consent if a research project moves in a direction that was not anticipated or expected at the time when the personal data was collected, so long as the processing remains within the relevant research area and, critically, the reasonable expectations of the relevant data subjects. 

Whilst the EDPB’s position on broad consent overlaps substantially with the UK under the Data (Use and Access) Act 2025, the requirement for additional safeguards sets a higher threshold in the EU. Examples of additional safeguards that should be adopted to compensate for the lack of purpose specification and give data subjects sufficient control over the use of their personal data include:

• making detailed up-to-date data processing information available to data subjects (i.e. via a webpage) as research projects progress;
• measures for use and access controls;
• time-limited validity of consent; or
• engaging an independent oversight body.

Comparison to the UK

The UK has (as we summarised here) adopted an even more permissive framework for the use of personal data in scientific research, with a wider definition to capture “any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity”. This contrasts with the EDPB’s six-factor test outlined above. 

As a result, organisations operating under both regimes may need to adopt a dual-track compliance approach. However, compared with the current patchwork of national implementing laws in the EU, the Guidelines offer a more predictable framework for researchers in the EU; especially for cross-border consortia and AI enabled studies, where uncertainty over legal bases, retention and safeguards for processing personal data may previously have slowed or discouraged research collaboration.

With thanks to Anastasios Proios Doukas for his contribution to this article.