Scientific Research Under GDPR: EDPB Sets New Boundaries

On 15 April 2026, the European Data Protection Board (EDPB) published draft Guidelines on the processing of personal data for scientific research (Guidelines), marking a significant step towards greater consistency in the application of the General Data Protection Regulation (GDPR). Echoing its commitment in last year’s Helsinki Statement on Enhanced Clarity, the EDPB seeks to address longstanding areas of uncertainty by providing more structured guidance on how key GDPR principles apply in a research context. The Guidelines are intended to help organisations make greater use of data for research purposes while maintaining a high standard of data protection.

The draft Guidelines are particularly noteworthy for organisations engaged in scientific research, as they clarify the scope and application of the GDPR’s research-specific flexibilities. In particular, the main takeaways are:

1. Only activities that qualify as “genuine” scientific research can benefit from the GDPR’s research-related derogations;
2. Further processing for scientific research purposes is presumed to be compatible with the original purpose of collection;
3. Personal data may be retained for future research beyond the initial purpose, subject to appropriate safeguards;
4. Broad and dynamic consent models are recognised as potentially valid lawful bases in the research context;
5. Controllers must ensure ongoing transparency and continue to uphold data subjects’ rights, including rights to erasure and objection; and
6. Appropriate safeguards must be implemented, with a clear preference for anonymisation or pseudonymisation where possible.

The public consultation closes on 25 June 2026.

1. When Does Processing Qualify as “Scientific Research”? 

Controllers must be able to demonstrate that their activities constitute genuine scientific research. While the GDPR adopts a broad interpretation (Recital 159), the EDPB emphasises that this cannot be stretched beyond its ordinary meaning and must align with recognised research standards. In the absence of a prescribed definition, the Guidelines set out six indicative factors to assist controllers in assessing whether their activities qualify as scientific research:

• a systematic approach involving the testing of a hypothesis;
• compliance with ethical standards, including respect for consent;
• the pursuit of verifiable results capable of scrutiny through peer review;
• independence from biases, with transparency as to any biases present;
• contribution to societal knowledge and well-being; and
• the potential to advance existing scientific knowledge or apply it in novel ways.

Where these factors are met, the activity is more likely to qualify. 

An exception applies where processing falls outside scientific research but is ancillary to it. In such cases, the activity may still benefit from the scientific research framework, provided it is clearly motivated by a research aim. For example, the anonymisation of personal data within a research project may qualify. Ancillary activities are assessed on a case-by-case basis with regard to the six factors above.

As a matter of good practice, controllers should document how their processing meets the six factors and qualifies as scientific research. The Guidelines recommend documentation in a research protocol or a Data Protection Impact Assessment (DPIA).

2. The Presumption of Compatibility For Further Processing 

The EDPB also clarifies that further processing for scientific research purposes is presumed compatible with the original purpose (as per Recital 50), meaning controllers do not need to carry out a separate compatibility test under Article 6(4), provided the original legal basis remains valid.

Notably, where personal data is shared with another controller who intends to process it for scientific research purposes, this constitutes further processing, and the Guidelines make clear that neither the providing nor the receiving controller would need to undertake a compatibility assessment under Article 6(4) of the GDPR.

3. Storage Limitation

As a starting point, controllers are required to define retention periods for personal data and communicate these to data subjects. However, the Guidelines confirm that Article 5(1)(e) permits controllers to store personal data for future scientific research, even where the original purpose has been fulfilled. The EDPB provides an example in which an initial research stage identifies avenues for future research that require further processing of personal data, which is permitted under Article 5(1)(e). 

In any event, controllers must still clearly identify which categories of data are retained for such purposes.

4. Recognition of Broad and Dynamic Consent as Lawful Bases

The Guidelines recognise increased flexibility around consent, including:

• broad consent, where the research purposes are not yet fully known at the point of data collection; and
• dynamic consent, whereby individual consent is obtained for each separate research project.

A combination of both is also possible, providing flexibility to controllers. However, general consent to participate in the research must be distinguished from consent under the GDPR. Where controllers make multiple consent requests, these must be clearly distinguishable, with the Guidelines citing separate consent forms or indirect methods, such as a webpage, as examples of what may be necessary.

Within clinical trials, the EDPB encourages the use of consent as a legal basis, clarifying that being a patient alone does not create a power imbalance. Such an imbalance arises only where the data subject’s capacity is severely affected by a mental or physical condition. 

Beyond consent, the Guidelines clarify that reliance on the public interest lawful basis may be available to private companies, not just to public entities carrying out scientific research. However, they may only rely on this where authorised by Union or Member State law — a restriction which carries clear implications for company-sponsored research.

By contrast, in the case of legitimate interests, scientific research may qualify even where the project is for profit. The Guidelines further clarify that genuine scientific research constitutes an important activity beneficial to society when applying the balancing test, provided that sufficient safeguards are implemented.

The Guidelines clearly specify that three avenues exist to process special categories of data (Article 9(2)). 

• Firstly, when processing special categories of data, controllers may rely on Union or Member State law, provided that the scientific research incorporates appropriate safeguards to protect the rights of data subjects. Member States also retain discretion to impose additional requirements governing such processing, highlighting the importance of controllers verifying each jurisdiction’s requirements.
• Secondly, where no Union or Member State law authorises the processing, controllers may alternatively rely on broad or dynamic consent. In the EU, approaches may continue to vary. So controllers will need to verify Member State specific requirements in addition to the GDPR. 
• Thirdly, the Guidelines also recognise an additional basis where the data has been manifestly made public by the data subject.

5. Transparency Obligations and Rights of Data Subjects

The EDPB emphasises that transparency is an ongoing obligation extending across the entire lifecycle of processing and is not limited to the point of collection. This includes situations where processing evolves over time and may continue even where the controller no longer has direct contact with data subjects. In such cases, the EDPB points to alternative measures — such as dedicated webpages — to keep data subjects indirectly informed.

Where a controller receives pseudonymised data for scientific research purposes, they must still ensure that data subjects can effectively exercise their rights, for example, by providing the pseudonym linked to their personal data. Derogations from data subject rights (including erasure and objection) are narrowly construed and must be applied on a case-by-case basis in accordance with Article 89.

In particular, where a data subject objects to processing for scientific research, they may also request deletion. Where a controller seeks to override such an objection, the EDPB makes clear that necessity is interpreted strictly: the controller must demonstrate that it either would be impossible or would seriously impair the research without processing the data in question.

6. Appropriate Safeguards

The Guidelines place significant emphasis on appropriate safeguards as a cornerstone of compliant research processing. Controllers are expected to adopt a risk-based approach, including conducting a risk assessment (for example, through a DPIA). The EDPB reiterates a clear hierarchy: Personal data should be anonymised where possible, otherwise pseudonymised, with the use of identifiable data limited to what is strictly necessary and proportionate. The EDPB also highlights a growing set of best practice safeguards, including secure processing environments and federated data access models, signalling an emerging benchmark for research governance.

As a general rule, safeguards must be assessed by reference to the nature, scope, context, purposes, and risks of the research, with responsibility resting on the controller. Controllers should also consider the impact on individual data subjects — particularly those in vulnerable groups — as well as potential knock-on effects on related persons, such as family members. Controllers should also be mindful of the data minimisation principle, requiring personal data to be relevant and limited to what is strictly necessary for the purpose of processing.

Next Steps

Although the consultation remains open until 25 June 2026, the Guidelines provide a clear indication of the EDPB’s direction of travel. Now is the time for organisations to stress-test their research frameworks. In particular, they should assess whether their activities meet the EDPB’s “genuine scientific research” criteria, revisit role allocation across complex research networks, and ensure that governance, transparency, and safeguards can withstand increased scrutiny.

More broadly, the Guidelines signal a shift towards greater accountability and evidencing in research-driven processing. Organisations that cannot clearly articulate why their activities qualify as scientific research — or demonstrate robust safeguards — may find themselves exposed to regulatory scrutiny under the GDPR.

Those who act early will be best placed not only to comply, but to leverage the GDPR’s research flexibilities with confidence as the regulatory landscape continues to evolve.