EDPB publishes Draft Guidelines on processing of personal data for scientific research purposes

The European Data Protection Board (“EDPB”) recently published Guidelines 1/2026 on processing of personal data for scientific research purposes (the “Guidelines”).  The Guidelines are intended to enhance the competitiveness of the scientific and technological research industry in Europe by providing legal certainty regarding the processing of personal data for scientific research purposes. The Guidelines are subject to public consultation until 25 June 2026.

In this article, we consider some of the key highlights of the Guidelines including: what constitutes “scientific research”; the presumption of purpose compatibility; the common lawful bases for processing scientific research data (including special category data); transparency of such processing; and the attribution of responsibilities as between controllers, processors and joint controllers.

What constitutes “Scientific Research” under the GDPR?

The Guidelines highlight that there is no universally agreed definition of “scientific research” and confirm that the concept should be interpreted broadly, in line with Recital 159 GDPR.  Scientific research may therefore encompass fundamental and applied research, technological development, privately funded research, and public health studies.  However, the EDPB also warns that the concept of scientific research should not be stretched beyond its common meaning.

The Guidelines set out six indicative factors which controllers should consider when determining whether processing can be carried out for scientific research purposes under the GDPR. Where all six factors are present, the activity is presumed to constitute scientific research within the meaning of the GDPR. However, where one or more factors are not satisfied, controllers seeking to rely on the scientific research framework must be able to demonstrate, with sufficient justification, why their processing activities nonetheless qualify. The more factors present to support the justification, the more likely the processing will be determined to be scientific research. The factors should be assessed in light of the nature, scope, context, and purpose of the processing activity.

The six indicative factors are:

1. Methodical and systematic approach – Does the research activities follow a defined methodology such as a research plan or a stated objective?
2. Adherence to ethical standards – Does the research comply with recognised ethical standards such as those that require respect for human autonomy, consent, transparency and oversight?
3. Verifiability and transparency – Are the results of the research verifiable and publishable or sharable, subject to legitimate safeguards and applicable limitations?
4. Autonomy and independence – Is the research process conducted with a degree of independence, allowing researchers to define hypotheses, and methodology without undue external influence whether in academic or commercial settings, and do the researchers possess the relevant academic or scientific qualifications?
5. Objectives of the research – Does the research contribute to the collective knowledge and wellbeing of society?
6. Potential to contribute to existing scientific knowledge or apply existing knowledge in novel ways – Does the research aim to advance scientific knowledge or apply existing knowledge in new ways?

When considering whether personal data processed in a research depository, database or infrastructure qualifies as being used for scientific research purposes, controllers should evaluate the processing against the above factors.  The Guidelines further clarify that ancillary processing (such as data extraction, data filtering and anonymisation / pseudonymisation) may also fall within the scope of scientific research purposes under the GDPR.

Presumption of purpose compatibility and storage limitation

Article 5(1)(b) GDPR requires that personal data should be collected for “specified, explicit and legitimate purposes” and should not be further processed in a manner that is incompatible with those purposes. Accordingly, it is generally the case that where a controller intends to process personal data for a new purpose, it must first assess whether that new purpose is compatible with the original purpose in line with Article 6(4) GDPR.

However, Article 5(1)(b) GDPR explicitly provides for a presumption of compatibility where the further processing is for scientific research purposes, meaning that controllers are not required to perform the compatibility test under Article 6(4) GDPR.

The EDPB clarifies that purpose compatibility must not be conflated with the legal basis for processing.  In many cases, controllers can rely on the same legal basis that applied to the initial processing, particularly where appropriate Article 89(1) GDPR safeguards have been adopted. However, controllers must verify that the original legal basis remains suitable for the further processing, and if not identify and establish a different legal basis.  In particular, where the initial processing was based on consent or compliance with a legal obligation, the controller may not be able to rely on the same legal basis for data processing for scientific research purposes.

In regard to storage limitation under Article 5(1)(e) GDPR, the Guidelines confirm that controllers may retain personal data beyond the point at which the original processing purpose has been fulfilled where the data will be processed solely for scientific research purposes, subject to appropriate Article 89(1) GDPR safeguards. However, storage for generic, unspecified scientific research purposes is not justified.

Legal basis for processing personal data for scientific research purposes

The EDPB confirms that consent, public interest and legitimate interest provide potential legal bases for processing personal data for scientific research purposes.  Each legal basis must be assessed in light of the specific circumstances of the processing activity, including the nature of the research, the data involved and the relationship between the data subject and the controller.

• Consent: The Guidelines confirm that the GDPR permits “broad consent” for the processing of personal data within a defined area of scientific research purposes, where the purposes cannot be fully determined at the time of collection. The Guidelines emphasise that the key test for relying on “broad consent” is whether a data subject would reasonably expect their data to be used for that type of research. To rely on broad consent, the controller should process personal data in accordance with ethical standards for scientific research and put additional safeguards in place to compensate for the lack of purpose specification.  Controllers can also ask data subjects to consent to different individual research projects, or parts thereof, separately, as soon as the purposes of those projects become known (so-called “dynamic consent”).
• Public interest or the exercise of official authority: The Guidelines clarify that reliance on the public interest legal basis (Article 6(1)(e) GDPR) is not limited to public authorities conducting scientific research. Private entities may also rely on this legal basis where the processing is grounded in Union or Member State law and serves a recognised public interest.
• Legitimate interest: The EDPB recognises that scientific research, whether undertaken for a non-profit or commercial basis, can constitute a legitimate interest (Article 6(1)(f) GDPR), subject to carrying out a legitimate interest assessment. The Guidelines note that controllers processing personal data for scientific research purposes can often attribute significant weight to the research interest in the balancing test. This is because genuine scientific research is considered to be an important activity that is beneficial for the whole of society.

Legal basis for processing special categories of personal data for scientific research purposes

The processing of special categories of personal data is prohibited unless an exemption under Article 9(2) GDPR applies.  The Guidelines highlight the primary exemptions that may be relied on by organisations to process special categories of personal data for scientific research purposes. These include:

• Explicit consent: Controllers may obtain explicit consent, including broad or dynamic consent, pursuant to Article 9(2)(a) GDPR, to process special categories of personal data for scientific research purposes.
• Personal data manifestly made public by the data subject: Where a data subject has intended, explicitly and by a clear affirmative action to make the special category personal data accessible to the general public, a data controller may assess whether it can process the personal data on that basis. The word “manifestly” implies that there is a high threshold for relying on the exemption. The guidelines note that controllers should also consider the context in which the special categories of data are made public and by whom. For example, special categories of personal data that are actively posted by data subjects themselves can indicate that the data has been manifestly made public, which would not be the case if the data was posted by a third party.
• Derogations under Article 9(2)(g), (i) and (j) GDPR: Controllers may rely on a derogation to the prohibition of processing special categories of data provided by Union or Member State law, pursuant to Article 9(2)(g), (i) and (j) GDPR. A controller that intends to rely on such a derogation should consider and be able to demonstrate that the law in question applies to the intended processing for scientific research purposes.

Transparency obligations

The information / transparency obligations in Articles 12-14 GDPR are a key focus of the Guidelines, particularly in the context of long-term and evolving research projects.  The EDPB recommends that controllers implement layered and dynamic transparency tools, such as dedicated websites or periodic communications; inform data subjects where processing purposes or key parameters materially change; and ensure that data retention periods remain reasonably foreseeable and linked to a defined scientific field, while regularly reassessing the necessity and proportionality of continued storage.

Generally, controllers should consider the following when determining how best to comply with their transparency obligations:

• Processing data over longer periods of time: Where a controller anticipates that it will process personal data for scientific research purposes over longer periods of time, such as for generational studies or when data is contained in a research infrastructure such as a data repository, the controller should give data subjects an opportunity to voluntarily provide contact details. This will make it possible for data subjects to get necessary updates on the processing of their personal data. Controllers should consider use of tools such as privacy dashboards to allow data subjects to easily understand how their data is used, and to ask questions about the processing of their personal data to the controller, or to withdraw consent, where applicable, in an easy and accessible manner.
• Timeliness of information provision: Controllers must provide information on processing of personal data at the time of collection, if they are collecting the information directly from the data subject (per Article 13 GDPR). The Guidelines provide a number of examples on how information should best be provided to data subjects in various situations such as clinical trials, interview-based studies and collection of data through extension applications (examples 11 – 13).  Where a controller receives personal data from another controller and intends to process it for scientific purposes, the obligation to provide information pursuant to Article 14 GDPR applies.
• Direct contact: The obligation to provide information pursuant to Article 13 GDPR applies even if the controller does not itself process or have access to any personal data, nor have any direct or indirect contact with the data subject. One such case is if the processing of personal data for scientific research is undertaken by a processor on behalf of the controller, or a joint controller. In such situations, the processor or the other controller may provide information to data subjects on the controller’s behalf.
• Exceptions: There are limited exceptions from the obligation to inform where a controller did not collect personal data directly from data subjects, such as where the provision of information is impossible or would involve disproportionate effort (e.g. large number of patient data on a large registry, difficulty finding contact details or the age of data set) (per Article 14(5) GDPR). In such circumstances, the controller must make the information publicly available to data subjects, such as by providing information on a website, or advertising in public spaces, on the television, radio, in newspapers or online.
• Changes to processing operations for scientific research purposes: A controller must inform data subjects of any changes to processing operations for scientific research purposes, where such changes render the information previously provided to data subjects obsolete or incomplete (per Article 13(4) and 14(5)(a) GDPR). For example, where substantial changes are made to the objectives of a research project, or to the identity of the controller (such as a research laboratory merging with another laboratory, forming a new entity), or extending the period of processing (including storage), or engaging with new research partners that would not reasonably be expected by a data subject and that will receive personal data.

Attribution of responsibilities as between controllers and processors

The EDPB observes that where personal data is processed for scientific research purposes involving several entities, it is necessary to assess and document how responsibility is allocated among the entities. The determination of who is the controller or processor may be particularly relevant where multiple actors are involved in drafting scientific research protocols, such actors include sponsors, hospitals and private companies. The Guidelines contain helpful examples of when an actor processes personal data as a controller, processor or joint controller in the context of scientific research, which should help organisations determine which role they play, and what GDPR obligations they are subject to.

Controllers

The EDPB notes that the fact that an organisation provides research funding or is consulted in the process of drafting a research protocol is not in itself sufficient to attribute the role of a controller (or joint controller).  Additionally, the EDPB notes that responsibility does not depend on an actor processing personal data.  This is the case, for example, in respect of clinical trials. In that context, most of the processing of directly identifiable personal data takes place at a clinical trial site, such as a health care facility. The sponsor, which mainly processes pseudonymised data, is nonetheless still regarded as a controller (or joint controller) because it determines the purposes and means of processing personal data in a clinical trial, in particular in respect to drafting the trial protocol.

Typically, it is a legal person that determines the purposes and essential means of processing. When processing for scientific research purposes, this could be a research institute, a hospital, a university, a commercial company, or a non-profit research organisation. Individuals such as researchers and laboratory technicians are generally not considered controllers, but rather acting under the authority of a controller.

Processors

In the context of processing of personal data for scientific research, the EDPB notes that different entities can act as processors, e.g. a research institution, a hospital, a software provider, a contract research organisation (CRO) or an individual researcher (external to the controller). While several entities are often co-operatively involved in the processing of personal data for scientific research purposes, this does not necessarily mean that they are to be regarded as processors, as they can, depending on the circumstances, instead be joint controllers.

Joint Controllers

Joint controllership occurs when two or more entities participate jointly in the determination of the purposes and essential elements of the means of processing.  There can be challenges in distinguishing joint controllership from entities who are both merely processing data for scientific research purposes and this will be determined on a case-by-case basis.  An indicative factor for joint controllership may include participating jointly in the drafting of a research protocol that determines the purposes and essential means of processing of personal data.

Data subject rights

Data subjects retain their GDPR rights in respect of the processing of their personal data for scientific research purposes. However, certain limitations apply in a scientific research context. Firstly, the right to erasure under Article 17 GDPR is subject to an exception under Article 17(3)(d) GDPR, where erasure would be “likely to render impossible or seriously impair” the research objectives and the controller has adopted appropriate safeguards.

Similarly, the right to object under Article 21 GDPR is subject to an exception under Article 21(6) GDPR, which provides that in the context of scientific research, a controller may reject a data subject’s objection where “the processing is necessary for the performance of a task carried out for reasons of public interest”.

Controllers should also take steps to inform data subjects of these exceptions when fulfilling their transparency obligations, particularly if it anticipates that it will apply one of these exceptions when a data subject exercises their right of erasure or objection. In addition, upon receipt of such data subject requests, controllers should take steps to assess and document on a case-by-case basis why it is necessary to apply any limitation to these rights.

Comment

The Guidelines provide helpful guidance in regard to the processing of personal data for scientific research purposes, thereby providing a more structured framework for compliance. They provide further legal certainty to the extent that they clarify the scope of the concept of “scientific research”, and the conditions for valid consent, and other appropriate legal bases to rely on under Articles 6 and 9 GDPR (as applicable).  Nonetheless, it is essential that controllers take steps, to carry out and document a lawful basis assessment in respect of any processing of personal data for scientific research purposes in order to be able to demonstrate to the competent supervisory authority, on request, how they are complying with their Article 6 and Article 9 obligations. Organisations should also take steps to strengthen their transparency and information frameworks to ensure they cover the full scope of scientific research activities, and develop well-documented policies and procedures for handling data subject requests, in particular erasure and objection requests.

Contact us

For more information, or if you would like advice on the key data protection issues in respect of your data processing as a life sciences or health organisation, please contact our Technology and Innovation Group or your usual Matheson contact.