On April 15, 2026, the European Data Protection Board (EDPB) published draft Guidelines 1/2026 on the processing of personal data for scientific research purposes (Guidelines). The Guidelines are open for public consultation until 25 June 2026. They aim to clarify how the GDPR applies to academic, public‑sector, and commercial research, including research that relies on AI, large data sets, and the reuse of personal data. The Guidelines do not cover the application of other EU or Member State law regulating scientific research or the processing of genetic, biometric, or health data specifically.
The Guidelines have been long awaited, with the EDPB first flagging it in its 2021/2022 work program and continuing to list it as a priority in later programs. The key message is clear: the GDPR is not intended to hinder scientific research. However, only research that is “genuinely scientific” benefits from the GDPR’s research‑specific provisions, and those provisions apply only subject to strict safeguards.
This post highlights ten key takeaways for organizations conducting or supporting research in the EU, including technology and life sciences companies, and data‑driven research teams. As the Guidelines are likely to inform supervisory authority enforcement once finalized, organizations engaged in scientific research should consider reviewing their research frameworks and data‑use practices in light of the EDPB’s guidance.
Ten Key Takeaways for Organizations Using Personal Data in Scientific Research
1. The GDPR’s research‑specific rules apply only to “genuinely scientific research.” The following six key indicative factors determine whether a project serves scientific research purposes:
- follows a methodical and systematic approach consistent with the relevant research field;
- adheres to recognized ethical standards;
- aims to achieve verifiable and transparent results, with research methods, data, and conclusions open to scrutiny, normally through peer review, and results published or intended to be published (subject to legitimate safeguards to protect intellectual property or trade‑secrets);
- is conducted independently by qualified researchers with appropriate academic or scientific expertise;
- seeks to contribute to general scientific knowledge or societal wellbeing, including when research is privately funded; and
- has the potential to advance existing knowledge or apply it in new ways.
The Guidelines illustrate these criteria through examples, for instance demonstrating that a typical clinical trial or a research project exploring bias in generative AI models may qualify as scientific research, while commercial retail data analytics does not.
The Guidelines mention that a project qualifies as scientific research if it meets all the listed factors, even though the GDPR itself does not create a formal presumption. Where some factors are not met, organizations must explain why their activities should still be treated as scientific research.
2. Ancillary processing operations may also fall within scope of the scientific research provisions. These ancillary activities that qualify include (i) preparatory activities, such as processing contact details to identify potential research participants, as well as (ii) research‑data management activities, such as identifying relevant data, extracting, filtering, grouping, curating and categorizing personal data, and (iii) anonymizing or pseudonymizing data before its use in specific research projects.
3. Article 5(1)(b) GDPR addresses only one of the two core requirements that apply when personal data are reused for scientific research, namely the principle of purpose limitation. The Guidelines provide that where personal data are originally collected for non‑research purposes, or for one scientific research purpose, their further use for scientific research or for a different research purpose is in principle compatible with the original purpose under Article 6(4). This applies where personal data are disclosed by one controller to another for that second controller’s own scientific research. However, controllers in these situations still need separately to comply with the GDPR’s lawfulness principle, an approach previously taken by data protection authorities. This means that organizations must assess whether the legal basis relied on for the initial processing is also suitable for the further processing for scientific research purposes or a new legal basis must be established.
4. Controllers relying on broad consent for scientific research should define future research purposes as clearly as possible, for example by reference to a specific field of research or to expected research outcomes. The description of the purpose should be sufficiently precise to enable controllers to determine which personal data have to be processed, and what data can be omitted. Controllers should also consider putting safeguards in place to give data subjects ongoing control and protection with respect to their data as research progresses. This may include providing relevant informational updates through a webpage or newsletter. Controllers may also offer tools to manage access and consent, set consent to expire after a defined period, rely on independent oversight, such as ethics committees, data protection officers, research experts, or participant representatives.
5. When relying on legitimate interests for scientific research, controllers must factor in Article 89 safeguards in the balancing test and introduce additional measures where needed. Failing this, the Guidelines provide that a different legal basis must be used. In the context of medical research involving health data, the EDPB notes that reliance on Article 6(1)(f) GDPR must be combined with an applicable derogation under Article 9(2) GDPR. The Guidelines expressly refer to Article 53(1)(e) of the European Health Data Space Regulation (EHDS) as one such derogation for scientific research based in EU law pursuant to Article 9(2)(j), but refrains from mentioning any other.
6. In long‑term scientific research, controllers should invite data subjects to provide contact details, even where those details are not needed for the research itself, so that they can be kept informed over time. Controllers should then use communication channels, such as email, phone, text messages, or regular mail, and consider tools like webpages, privacy dashboards, or consent receipts to keep data subjects informed, enable them to exercise their rights or manage consents, and provide clear contact points for questions and requests. The EDPB illustrates this notion through examples, including clinical trials and interview‑based research that involve layered information and dedicated contact points. The obligation to inform data subjects applies even where the controller does not directly interact with the subjects or process the data directly, for example where research processing is carried out by a processor or joint controller. Controllers should not knowingly delete contact details if they intend to or can foresee that they will further process personal data for scientific research purposes.
7. In scientific research, individual notification can in some instances constitute a disproportionate effort and the requirement could be lifted. The Guidelines explicitly mention that this may be the case where it would involve informing very large numbers of data subjects, where contact details are outdated or cannot reasonably be obtained, or where the personal data are particularly old, for example datasets that are more than ten years old. However, this exception is intended to be interpreted narrowly. When relying on it, controllers should weigh the effort of providing information against the impact on data subjects if they are not informed directly, taking into account the Article 89 GDPR safeguards in place and whether information can be provided through indirect means instead.
8. The Guidelines supply examples of changes that do and do not require sending data subjects an updated notice. Updated information should be shared with data subjects when there are “material” changes to any underlying research purposes or applicable legal bases, changes to the controller or its research partners, including new international transfers, extensions of original retention periods, higher‑risk research methods, new categories of personal data, or changes to how data subjects can exercise their rights. By contrast, no new notice is usually required for unchanged recurring studies, for new research partners already covered by disclosed recipient categories, or for additional data types falling within previously disclosed personal data categories.
9. The Guidelines provide several examples to demonstrate that roles in scientific research turn on substantive decision‑making, not labels. For example, in clinical trials, a sponsor that defines the research purpose and essential means for processing acts as a controller, while a contract research organization (CRO) supporting the trial operates as a processor by carrying out tasks such as monitoring, data analysis, and record‑keeping based on the sponsor’s instructions. By contrast, merely agreeing to and following an already established research protocol does not automatically give rise to joint controllership. Joint controllership arises where the relevant research partners genuinely co‑determine purposes and means of processing. The Guidelines illustrate this through a research consortium that jointly drafts and approves a common protocol setting out shared objectives, methodology, the data to be collected, and further research use, including through jointly operated research infrastructure. While these examples are helpful, applying them in practice may remain challenging, particularly in complex, multi‑party research collaborations where decision‑making responsibilities evolve over time and are not always clearly documented. The discussion also remains high level and does not, for example, address the respective roles of trial sites and sponsors in the context of clinical trial research.
10. Controllers should assess and implement appropriate Article 89(1) safeguards based on the nature, scope, context, purposes, and risks of the scientific research. This includes conducting a risk analysis or, where required, a DPIA, implementing appropriate technical and organizational security measures, and clearly allocating internal responsibilities for data processing. Data minimization remains key as controllers must anonymize data whenever possible. Where pseudonymization is used instead, the Guidelines note that the legal basis for processing personal data extends to all processing operations necessary to apply the pseudonymization. Controllers must also clearly inform data subjects about when personal data are still processed in an identifiable form, whether the data are shared with others, and that anonymization irreversibly prevents retrieval of individual-level information from research outputs. The Guidelines list additional safeguards that may be appropriate depending on the research context, such as the use of privacy‑enhancing technologies to reduce re‑identification risks and secure processing environments or controlled access points that allow researchers to work with data without local storage or unrestricted copying.
* * *
The Privacy and Cybersecurity team is closely monitoring these developments and their implications for organizations conducting scientific research in the EU. Please reach out to a member of the Covington team if you would like to discuss the EDPB’s guidance or need assistance assessing its impact on your research activities.