Scientific Research and the GDPR: EDPB Issues Long-Awaited Guidelines

On 15 April 2026, the European Data Protection Board (“EDPB”) published its long-awaited draft Guidelines 1/2026 on the processing of personal data for scientific research purposes (the “Guidelines”), marking the most comprehensive regulatory statement to date on how the GDPR applies to scientific research activities.

For organisations in the life sciences sector, the Guidelines address long-standing areas of uncertainty — particularly around secondary use of data, broad consent, and transparency obligations — while signaling a clear shift toward stricter expectations on governance, purpose limitation, and accountability. The EDPB’s objective is clear: to promote a more consistent and workable framework across the EU, while maintaining robust safeguards.

Key Takeaways

1. What Constitutes ‘Scientific Research’

The EDPB stops short of a formal definition but introduces six indicative factors to assess whether an activity constitutes scientific research:

• a methodical and systematic approach
• adherence to ethical standards
• verifiability and transparency
• autonomy and independence
• clearly defined objectives
• contribution to existing scientific knowledge or application of this knowledge in novel ways

Where all six factors are met, the activity will generally qualify as scientific research. Where they are not, organisations must justify their position, taking into account the nature, scope, and context of the processing.

Why it matters: This creates a practical threshold test. Organisations should expect regulators to scrutinise whether activities genuinely constitute scientific research, rather than accepting labels at face value.

2. Further Processing

While the GDPR presumes that further processing for scientific research is compatible with the original purpose, the EDPB makes clear this is not a blanket exemption. The presumption applies only where the further processing genuinely qualifies as scientific research (as clarified by the Guidelines and set out above). Where further processing of personal data is for purposes other than scientific research, a compatibility assessment would need to be completed. One example, provided by the EDPB, considers that the use of data collected in a scientific research project to analyse the use of a particular dialect in written language could then be used to develop an app in another research project within the bounds of the presumption. Further, controllers must still assess the lawfulness of the processing, particularly where special category personal data (e.g., health data) is involved, or where the original legal basis (e.g., consent) may no longer be appropriate; and determine if additional conditions or limitations are required. The Guidelines reinforce that purpose limitation remains central, even in a research context.

Why it matters: Organisations should not treat secondary use for research as automatically compliant. The presumption of compatibility should be documented and, where necessary, the legal basis revisited.

3. Storage Limitation

The EDPB takes a firm stance on the principle of storage limitation, advising that:

• Controllers must define and communicate retention periods, including where time lines are uncertain.
• Personal data may be retained post-study for verification and reproducibility.
• Retention for unspecified future research is not permitted. Future research must be reasonably foreseeable, in relation to the envisaged processing, and supported by appropriate safeguards under Article 89(1) GDPR.

Why it matters: Open-ended research repositories or data lakes without clear purpose boundaries are likely to face scrutiny. Organisations should move toward more granular purpose definition and retention governance, rather than relying on broadly framed “future research” justifications.

4. Legal Bases for Processing

Consent (including, “broad consent”): The EDPB confirms that broad consent can be valid, provided appropriate safeguards are in place, including:

• Clear framing of the research field or expected outcomes.
• Ongoing transparency (e.g., updates, portals, newsletters), the modality and frequency of which should be assessed project by project.
• Effective mechanisms to enable the withdrawal of consent.
• Consideration of dynamic consent as research evolves.

Controllers must also assess, project by project, whether new uses align with the data subjects’ reasonable expectations.

Public Interest and Legal Obligation: The EDPB confirms that private entities can rely on public interest or official authority legal bases where grounded in law (e.g., clinical trials and public health legal frameworks).

Legitimate Interest: Scientific research can constitute a legitimate interest, including for commercial actors. This is a significant clarification for industry, particularly where consent is impractical. However, this does not lower the bar; the balancing test remains critical, especially given the sensitivity and scale of research data.

5. Transparency and Disproportionate Effort

The EDPB re-emphasises that the disproportionate effort exemption (i.e., from the requirement to provide notice to individuals under Article 14 GDPR) must be interpreted narrowly. Controllers must conduct a case-by-case assessment, taking into account factors such as the number of data subjects, the age of the data, safeguards in place, and the potential impact on individuals. Where the exemption is relied upon, alternative transparency measures (such as publicly available notices) must be implemented.

Why it matters: Whilst the narrow interpretation of the exemption is nothing new, it is a clear signal that routine reliance on the exemption is not acceptable. Organisations should consider revisiting their Article 14 GDPR assessments, ensure they are well-documented, and implement robust alternative transparency measures.

6. Data Subject Rights

The EDPB reinforces that research-related derogations must be applied restrictively:

• Erasure: the GDPR provides a specific exception from the right to erasure where processing is necessary for scientific research purposes. The EDPB confirms that this must only be applied where erasure is likely to render impossible or seriously impair the achievement of the scientific research.
• Objection: the GDPR permits a controller to reject a data subject’s objection to the processing of their personal data where the processing is carried out for scientific research purposes. The EDPB confirms this is only the case where the processing is strictly necessary for public interest research.

Why it matters: The emphasis on necessity raises the evidentiary bar. Controllers must show not just usefulness but indispensability.

7. Allocation of Responsibilities

In line with ongoing discussions under the proposed EU Biotech Act, the EDPB confirms that:

• An entity can be a controller even without directly handling personal data.
• In clinical trials, sponsors may be controllers — despite only accessing pseudonymised data — where they determine the purposes and means of the processing.

Why it matters: This reflects a continued shift toward a functional, influence-based concept of control. Organisations should reassess role allocation in multi-party research arrangements and ensure that contractual and governance frameworks align with this approach.

Next Steps

The EDPB is not restricting scientific research, but it is raising expectations around how it is governed. Organisations that invest in clear purpose definition, transparency, and demonstrable safeguards will be best-positioned to rely on the GDPR’s research framework.

The Guidelines are open for public consultation until 25 June 2026, with further refinements expected before finalisation.

Trainee solicitor Jennifer Petch also contributed to this blog post.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.