On April 15, 2026, the European Data Protection Board ("EDPB") adopted Guidelines 1/2026 on the processing of personal data for scientific research purposes (the "Guidelines"). The Guidelines have been published in draft form for public consultation and are not yet final. Stakeholders may submit comments through June 26, 2026. Once finalized, the Guidelines will represent the EDPB's authoritative interpretation of how the GDPR applies to Controllers and Processors engaged in scientific research.

The Guidelines aim to bring clarity and practical guidance to a diverse and complex area of data processing, covering a wide range of actors, fields of research, data types, and technologies. They are also part of the EDPB's commitment, set out in its Helsinki statement, to facilitate easier GDPR compliance. 

Key Takeaways

Organizations engaged in scientific research—whether academic, public, or commercial (for example, through clinical drug trials)—should consider the following:

First, only genuinely scientific activities will benefit from the GDPR's favorable research provisions. The EDPB introduces a six-factor test to determine whether processing qualifies as scientific research. If all six factors are satisfied, the activities are presumed to constitute scientific research; if not, the Controller must affirmatively justify why its activities should nonetheless qualify under the GDPR. 

Second, the presumption of purpose compatibility under Article 5(1)(b) GDPR applies to further processing for scientific research, removing the need for a separate compatibility test. However, the Controller must still identify and rely on a lawful basis for the further processing. 

Third, Controllers may use "broad consent" for processing in a well-defined area of scientific research when purposes are not fully known at the time of collection (that is, for potential future purposes), but they must adopt additional safeguards and define the purposes as clearly as possible. In this context, a Controller's later decision to utilize a data subject's data in individual research projects at some future point in time is possible to implement, but the Controller must take care to properly inform and prepare the data subjects for this possible use.

Fourth, private entities can rely on the public interest legal basis under Article 6(1)(e) GDPR if the relevant legal act covers their activities. Legitimate interest under Article 6(1)(f) is also available for scientific research regardless of whether the research is commercial. 

Fifth, the Guidelines reaffirm that anonymization or pseudonymization must be the first-line safeguard under Article 89(1) GDPR whenever the research purposes can be fulfilled by such means. Pseudonymization in particular must rest upon a secure authentication framework that only allows for relevant individuals to de-code the data and identify the data subjects to whom the personal data pertains.

Sixth, with respect to cross-border transfers, the Guidelines do not create new rules but reaffirm that engaging research partners outside the EEA—resulting in transfers of personal data to third countries or international organizations—triggers both transparency obligations toward data subjects and the specific transfer requirements of Chapter V of the GDPR. 

Scope and Definition of Scientific Research

The Guidelines clarify that the GDPR's specific provisions on scientific research apply only to processing that is genuinely motivated by scientific research purposes. To assist Controllers in making this determination, the EDPB sets out a six factor evaluation: (i) a methodical and systematic approach, (ii) adherence to ethical standards, (iii) verifiability and transparency of results, (iv) autonomy and independence of researchers, (v) objectives aimed at contributing to society's general knowledge and well-being, and (vi) potential to contribute to existing scientific knowledge or apply existing knowledge in novel ways. 

If all six factors are met, the activities are presumed to constitute scientific research (and though not stated, individuals may be able to rebut this presumption upon actual use of their data). If the research activities, prima facie, do not meet all factors, the Controller must be able to justify and demonstrate why the activities should nonetheless be considered scientific research within the meaning of the GDPR; the more key-indicative factors that are present, the more likely it is that the activities qualify. However, the guidelines do not propose any specific mechanism whereby Controllers can receive confirmation that their activities meet this standard prior to beginning—that is, the guidelines set forth no compliance organization who will affirmatively categorize specific activities as scientific research or not. 

Purpose Limitation and Storage

Further processing of personal data for scientific research purposes is presumed to be compatible with the initial purpose of collection under Article 5(1)(b) GDPR, relieving the Controller of the obligation to conduct the compatibility test under Article 6(4). However, the Controller must still determine a lawful basis for the further processing, and it is often possible to rely on the same legal basis that applied to the initial collection. 

Regarding the storage and retention limitations of the GDPR, Controllers may store personal data for longer periods if the data is intended for further processing for specific scientific research purposes, even after the original purposes have been fulfilled. Storing data for entirely generic or unspecified "scientific research purposes" is not permissible; the Controller must specify potential research in a certain area and substantiate how it intends to use the personal data in future projects. Controllers must also regularly review the necessity of continued storage and the format in which data is retained. 

Lawful Bases for Processing

The Guidelines address the main lawful bases relevant to scientific research:

Consent (broad and dynamic). Controllers may obtain broad consent for processing in a defined area of scientific research when specific purposes are not yet known at the time of collection, subject to additional safeguards such as independent oversight and enhanced transparency measures. Dynamic consent requires the Controller to obtain separate consent for each new research project or stage as purposes become known. A combination of both approaches is permissible.

Public interest. Processing on the basis of Article 6(1)(e) GDPR must be grounded in Union or Member State law. Private entities may also rely on this legal basis if the legal act authorizing the research covers their activities. 

Legitimate interest. Scientific research can constitute a legitimate interest under Article 6(1)(f) GDPR, whether conducted on a non-profit or commercial basis. The significant societal interest in scientific research carries substantial weight in the balancing test. 

Clinical Data and Special Categories of Personal Data

Controllers processing special categories of data for scientific research (which oftentimes applies to medical data used in clinical trials) would be required to identify a valid derogation under Article 9(2) GDPR. Permissible derogations include explicit (broad or dynamic) consent under Article 9(2)(a), Union or Member State law under Article 9(2)(g), (i), or (j), and data manifestly made public by the data subject under Article 9(2)(e). 

The Guidelines confirm that clinical trials conducted by pharmaceutical companies can qualify as scientific research under the GDPR, provided the key-indicative factors are satisfied. In the context of clinical trials involving patients, the EDPB emphasizes that Controllers should consider the mental or physical condition of patients when determining whether consent can be freely given; if a patient's capacity is severely affected, the Controller should refrain from relying on consent. 

Where processing of health data for scientific research is based on legitimate interest under Article 6(1)(f), Controllers may also rely on the derogation in Article 53(1)(e) of the European Health Data Space Regulation (EHDS). 

Cross-Border Transfers

The Guidelines do not introduce new rules on international data transfers for scientific research but reaffirm existing GDPR requirements. The Guidelines do tangentially encounter this topic with respect to transparency, though. When engaging new research partners outside the EEA that may result in transfers of personal data to third countries or international organizations Controllers may trigger a change to processing operations about which data subjects must be informed. Such transfers remain further subject to the specific provisions in Chapter V of the GDPR, and the EDPB refers to its separate Guidelines 05/2021 on the interplay between Article 3 and Chapter V for further detail on what constitutes a transfer. 

For organizations involved in multi-jurisdictional clinical research or collaborative research consortia, this means that the addition of research sites or partners outside the EEA will trigger both a transparency update obligation and the requirement to establish an appropriate transfer mechanism under Chapter V. 

Appropriate Safeguards and Accountability

Controllers must adopt appropriate safeguards under Article 89(1) GDPR. The primary safeguard is anonymization of personal data wherever the research purposes can be fulfilled without identifying data subjects; where anonymization is not achievable, pseudonymization should be applied. Processing identifiable personal data is only permissible where it is strictly necessary and proportionate. 

Beyond anonymization and pseudonymization, other safeguards may include governance structures for oversight, ethical review, secure processing environments, privacy-enhancing technologies, strict purpose-limitation through contractual terms, confidentiality obligations, access controls, and qualification requirements for researchers.

Where several entities are involved in research, the allocation of Controller, Joint Controller, and Processor roles must be clearly assessed and documented. This is particularly important in multi-party research consortia and public-private partnerships, where a jointly-drafted research protocol may establish joint controllership among all participants. 

Next Steps

Organizations involved in scientific research should review these draft Guidelines carefully and consider compliance obligations now. Individuals and businesses may also submit comments in response to the proposed guidelines by June 26, 2026. The Guidelines, once finalized, will shape supervisory authority expectations and enforcement across the EEA. In particular, entities conducting clinical trials or health research involving cross-border data flows should assess their current practices against the EDPB's positions on consent, special category derogations, transparency obligations, and transfer mechanisms.