EDPB Guidelines on processing personal data for scientific research – Key takeaways

On 16 April 2026, the European Data Protection Board (EDPB) published its Guidelines 1/2026 on the processing of personal data for scientific research purposes, adopted for public consultation. Comments may be submitted until 25 June 2026. The Guidelines address a broad range of issues, including the concept of scientific research under the GDPR, the applicable legal bases for processing personal data in research contexts, transparency obligations, data subject rights and the safeguards required under Article 89(1) of the GDPR. The EDPB's stated objective is to facilitate easier GDPR compliance for researchers, in line with its Helsinki statement commitments aiming at providing practical resources to simplify GDPR application.

No definition, but a practical test

Rather than adopting a fixed definition of "scientific research", the EDPB acknowledges that no universally agreed definition exists. Instead, the Guidelines present six key-indicative factors that controllers should assess when determining whether processing of personal data is motivated by scientific research purposes. These factors are:

(i) Methodical and systematic approach: the research activities, including formulation and testing of a hypothesis, are conducted following a methodical and systematic approach of the relevant research field, for example in accordance with a comprehensive research plan.

(ii) Adherence to ethical standards: the research activities are conducted in adherence to ethical standards in the relevant research field, which are intended to prevent individuals from being subjected to harm or other adverse effects due to participating in scientific research.

(iii) Verifiability and transparency: the research activities aim to achieve verifiable results, the conduct of research allows hypotheses, methods, data and conclusions to be open to criticism, normally following peer review, and the results are shared or will be shared with other parties.

(iv) Autonomy and independence: the research activities are conducted autonomously and independently in relation to the prejudices of the scientific community, other external parties, and the researcher's own prejudices, and the research team has the freedom to define research questions, identify methods, choose scientific theories and disseminate results. The researchers processing the personal data should have academic or scientific qualifications in the relevant field, and this applies regardless of whether the research is carried out by an academic institution, a non-profit organisation, a public institution or a commercial company.

(v) Objectives of the research: the research activities are carried out with the aim of contributing to the growth of society's general knowledge and wellbeing, although this does not exclude research that may also aim to further commercial interests.

(vi) Potential to contribute to existing scientific knowledge or apply existing knowledge in novel ways: the research activities are merited, as they have the potential to contribute to existing scientific knowledge or apply existing knowledge in novel ways, and the scientific merits can be subject to assessment, review or approval by independent experts or committees.

If all six factors are met, the research activities can be presumed to constitute scientific research. If not, all factors are satisfied, the controller needs to justify and demonstrate why the activities should nonetheless be considered scientific research within the meaning of the GDPR, with the presence of more factors making it more likely that the activities qualify. The Guidelines make clear that commercially-funded research can qualify, citing the example of a pharmaceutical company conducting a clinical trial, while pure market analytics (such as a retail company analysing sales data to inform its marketing strategy) clearly does not.

Broad and dynamic consent

One of the most significant aspects of the Guidelines is the EDPB's endorsement of both broad consent and dynamic consent as valid mechanisms for obtaining consent in the scientific research context.

• Broad consent allows controllers to collect personal data for processing in future research projects within a certain area of scientific research, even when the specific purposes are not yet fully known at the time of collection. However, the EDPB is clear that broad consent is not a blank cheque. Controllers cannot ask data subjects to consent to processing without any specification of purposes, and it is not sufficient to state merely that personal data will be used for "scientific research purposes". Instead, purposes must be defined as clearly as possible, for example by delimiting them to a certain field of research such as medical research in oncology, or sociological research in criminology.

Broad consent also requires the adoption of meaningful safeguards to compensate for the lack of purpose specification. In particular, controllers should make detailed information available to data subjects (for example on a webpage) on how their personal data are being processed as the research progresses in individual research projects. In practice, this could be interpreted as allowing the information to be provided in two stages: initial information provided when the consent is collected, and then again as soon as more detailed information becomes available. Controllers should also consider implementing measures for use and access controls (such as an independent data trustee), time-limited validity of consent, or an independent oversight body which may include a representative of the research participants, experts in the relevant scientific research field, experts in data protection and the data protection officer. Additionally, controllers should consider providing an effective technical tool, or other measure, that empowers data subjects in the exercise of their choice regarding consent, and they should consider setting up a privacy dashboard, as described in the EDPB's Guidelines on transparency.

• Dynamic consent, by contrast, involves asking data subjects to consent to each different individual research project – or part thereof – separately, as soon as the purposes for processing personal data in those projects become known and fall outside the scope of the broad consent originally obtained, including because they go beyond the broad purpose description and the data subject’s reasonable expectations in that regard. In that sense, the Guidelines can be read as allowing dynamic consent to operate alongside broad consent as a complementary mechanism, with broad consent covering an initial layer of future research within a defined area and dynamic consent being used at a later stage where greater specificity emerges and a renewed choice is appropriate. The EDPB recognises that dynamic consent can be particularly relevant where researchers are in a close and prolonged relationship with data subjects, as may be the case in long-term research projects where researchers interact with research participants on a regular basis.

These considerations represent the most detailed guidance the EDPB has provided to date on the concept of "specific" consent.

The EHDS connection

The Guidelines explicitly confirm that Article 53(1)(e) of the European Health Data Space Regulation (EHDS) constitutes a valid derogation under Article 9(2) of the GDPR for the processing of health data in scientific research contexts. In practice, this means that controllers could rely on legitimate interests under Article 6(1)(f) of the GDPR for scientific research and on Article 9(2)(j) GDPR grounded by Article 53(1)(e) of EHDS for processing health data. This confirmation is particularly significant for the life sciences sector, where the interaction between the GDPR and the EHDS framework has been a source of uncertainty, especially in the context of clinical research, medical device development and pharmacovigilance.

The Digital Omnibus proposal

The Guidelines reference the Digital Omnibus proposal on several occasions, most notably in the context of further processing for scientific research purposes and transparency obligations. For example, the EDPB cites proposed Recital 29 and Article 3(2) of the Digital Omnibus in its discussion of the presumption of purpose compatibility under Article 5(1)(b) of the GDPR. It also references Recital 37 of the Digital Omnibus in the context of transparency and the provision of information to data subjects via electronic post boxes.

This is noteworthy because the Digital Omnibus proposal is not yet adopted and is not expected to be voted on until February 2027. The EDPB appears to be building parts of its guidance around the Digital Omnibus' draft concepts, effectively attempting to future-proof the Guidelines even though the final legislative text may still change. Stakeholders should be aware that some of the positions articulated in the Guidelines may need to be revisited depending on the final form the Digital Omnibus takes.

Key additional takeaways

Beyond the headline points above, a number of further aspects of the Guidelines merit attention.

• On purpose compatibility, the EDPB confirms that further processing for scientific research purposes is presumed to be compatible with the initial purpose of collection under Article 5(1)(b) of the GDPR, and that controllers do not need to carry out the purpose compatibility test under Article 6(4) of the GDPR when further processing personal data for scientific research. In many cases, controllers will be able to rely on the same legal basis as for the initial processing, particularly where the initial basis was public interest or legitimate interest.
• On legitimate interest, the EDPB confirms that scientific research can constitute a legitimate interest under Article 6(1)(f) of the GDPR, regardless of whether it is undertaken on a non-profit or commercial basis. Controllers can attribute significant weight to the processing of personal data for scientific research purposes when applying the balancing test, because genuine scientific research is considered to be an important activity that is beneficial for the whole of society.
• On further processing for further scientific purposes under Article 13(3) GDPR, the Guidelines take a research-friendly line (thereby endorsing in substance the direction of travel reflected in the Digital Omnibus proposal): controllers must in principle inform data subjects before using data collected from the data subjects for a new scientific research purpose, but the EDPB recognises that direct re-contact may be impracticable. It therefore endorses a pragmatic solution: keep communication channels where future research use is foreseeable, make reasonable efforts to obtain contact details where possible, and otherwise use indirect notice measures likely to reach data subjects. This goes some way to closing a longstanding practical gap, because Article 13(3) contains no express derogation equivalent to Article 14(5) GDPR, yet the Guidelines avoid an interpretation that would make further scientific research unworkable in practice.
• On appropriate safeguards, the EDPB emphasises that controllers must adopt safeguards under Article 89(1) of the GDPR when processing personal data for scientific research purposes, starting with a risk analysis or DPIA. Personal data should in the first place be anonymised, or where that is not possible, at least pseudonymised, provided that the research purposes can be fulfilled using such data. Beyond anonymisation and pseudonymisation, the Guidelines identify a broad menu of potential safeguards, including governance structures and oversight committees, enhanced transparency measures, secure processing environments, privacy-enhancing technologies, confidentiality obligations and qualification requirements for researchers.

Next steps

The public consultation on the Guidelines closes on 25 June 2026. Organisations that process personal data for scientific research, including pharmaceutical and medical device companies, research institutions, CROs and technology companies operating in the health data space, should consider submitting comments, particularly on the practical implications of the six-factor test, the conditions for broad consent and the interplay between the Guidelines and the forthcoming Digital Omnibus proposal.

Please contact our team if you have any questions about these new Guidelines or if you would like assistance in preparing a response to the public consultation.

Authored by Hélène Boland, David Bamberg and Julie Schwartz.