23 April 2026
EDPB Guidelines on Scientific Research: Key Implications for the Life Sciences Sector
A Long-Awaited Clarification for Scientific Research in the GDPR Framework
On 15 April 2026, the European Data Protection Board (EDPB) adopted Guidelines 1/2026 on the processing of personal data for scientific research purposes. These Guidelines had been long anticipated: the EDPB had initially announced their adoption in 2021, at the height of the COVID-19 pandemic, but no further developments followed for several years.
Their publication is therefore particularly significant. Scientific research – especially in the life sciences sector – has long been an area in which data protection requirements are perceived by operators as a constraint rather than an enabling framework. This is despite the GDPR’s underlying policy objective of supporting scientific research, notably through the presumption of compatibility for further processing of personal data for such purposes.
In principle, this presumption should facilitate the secondary use of personal data originally collected for other purposes – for example, health data gathered in the context of clinical practice and subsequently reused for medical research. In practice, however, restrictive interpretations by supervisory authorities, unresolved ambiguities within the GDPR, and additional limitations introduced by national laws in certain member states have often rendered secondary use legally uncertain or operationally impracticable, exposing researchers and sponsors to significant compliance risks.
Against this background, the new Guidelines provide much-needed clarification and contribute to reducing some of these risks. However, important limitations remain, and certain areas of uncertainty will continue to require careful legal and operational assessment by research stakeholders.
The Guidelines address a broad range of issues, including the concept of scientific research; the presumption of compatibility; transparency obligations and lawful bases for processing, with particularly relevant clarifications on the limits of consent; the allocation of roles and responsibilities between controllers and processors; and the safeguards required under Article 89 GDPR.
Given the breadth and complexity of the document, the analysis below highlights a selection of issues of particular relevance for life sciences operators.
What Qualifies as “Scientific Research” under the GDPR?
While acknowledging that no universally agreed definition of scientific research exists, the EDPB confirms that the concept must be interpreted broadly, in line with Recital 159 GDPR. Scientific research may therefore encompass fundamental and applied research, technological development, privately funded research, and public health studies.
At the same time, the notion of scientific research “may not be stretched beyond its common meaning”. Only genuinely scientific processing activities can benefit from the GDPR’s research-specific regime.
To assess whether this threshold is met, organisations are required to consider six key indicative factors, including the presence of a methodical and systematic approach, adherence to recognised ethical standards, the autonomy and independence of the research, and the potential contribution to general scientific knowledge or societal well-being – even where commercial interests are also pursued. The EDPB expressly recognises that scientific research may be conducted by both public and private entities and may be profit-oriented.
Importantly, the Guidelines also clarify that not only core research activities fall within this scope. Ancillary processing operations – such as identifying potential research participants or preparing datasets – may also qualify, provided they are genuinely linked to a scientific research objective.
Presumption of Compatibility: A Powerful Tool with Practical Limits
One of the most relevant sections of the Guidelines concerns the presumption of compatibility under Article 5(1)(b) GDPR.
The EDPB confirms that:
- where personal data are initially collected for non-scientific purposes and subsequently reused for scientific research, such further processing is presumed to be compatible;
- conversely, where data are collected for a scientific research purpose and later reused for non-scientific purposes, a full compatibility assessment is required.
However – and this is a critical point – the presumption of compatibility does not eliminate the requirement to identify a valid lawful basis for further processing. Compatibility and lawfulness remain distinct and cumulative requirements.
In practice, this significantly limits the usefulness of the presumption where the original legal basis is consent, as is frequently the case in the life sciences sector. In such situations, controllers may still be required to obtain new consent – an exercise that may prove difficult to implement in practice or, in some cases, even impossible. As a result, a mechanism designed to facilitate secondary use risks being considerably weakened in operational terms.
Lawfulness and Consent: Key Practical Clarifications
The Guidelines confirm that the principal lawful bases for scientific research are consent, public interest, legal obligation, and legitimate interests, alongside the additional conditions applicable to special categories of data under Article 9 GDPR.
With regard to consent, several clarifications are of particular practical relevance:
- in medical research involving patients, controllers must take into account the individual’s physical and mental condition. However, the mere fact of being a patient does not, in itself, invalidate the ability to provide freely given consent, unless the individual is severely affected by their condition;
- a single consent may be valid where healthcare provision and scientific research are closely interrelated and necessary; otherwise, consent for research must be obtained separately and cannot be made a condition for receiving care or services;
- financial incentives offered for participation in a study must be carefully assessed to ensure they do not undermine the voluntariness of consent.
Of particular importance is the EDPB’s confirmation that “broad consent” remains permissible. Controllers may rely on consent for certain areas of scientific research even where the specific purposes are not fully known at the time of data collection, provided that those purposes are defined as clearly as possible and appropriate safeguards are implemented.
However, where future research activities fall outside the reasonable expectations created by the original consent, controllers will need to seek additional consent – often referred to as “dynamic consent” – for specific projects or phases thereof.
Controllers relying on broad consent are expected to define research purposes with sufficient precision to enable both necessity assessments and meaningful understanding by data subjects. This may involve delimiting the scope by reference to a specific field of research (eg oncology) or to expected outcomes (eg the development of new therapeutic approaches).
They must then assess, on a case-by-case basis, whether subsequent processing falls within the scope of that consent, taking into account the reasonable expectations of data subjects and, where appropriate, engaging with representative groups. Where processing falls outside those boundaries, new consent must be obtained.
To compensate for the reduced level of specificity inherent in broad consent, controllers are also required to implement enhanced safeguards. These include making detailed and regularly updated information available – such as via dedicated websites – and enabling data subjects to remain informed over time, for example through subscription-based communications. Such measures are intended to preserve data subjects’ control over their personal data, including the effective exercise of their right to withdraw consent.
Transparency Obligations over Time
Transparency is closely linked to the lawfulness of processing, particularly where consent is relied upon, as consent must be informed. The EDPB devotes significant attention to transparency in the context of long-term and evolving research projects.
Controllers are encouraged to:
- retain or collect contact details where future research use is envisaged;
- implement layered and dynamic transparency tools, such as dedicated websites or periodic communications;
- inform data subjects where processing purposes or key parameters materially change;
- ensure that data retention periods remain reasonably foreseeable and linked to a defined scientific field, while regularly reassessing the necessity and proportionality of continued storage.
Indirect transparency mechanisms may be relied upon where providing information directly would involve a disproportionate effort under Article 14(5) GDPR. However, exemptions based on impossibility are expected to remain exceptional.
Concluding Remark
The EDPB Guidelines represent a meaningful step towards greater legal certainty in the processing of personal data for scientific research, particularly in a sector where regulatory complexity has often been perceived as a barrier to innovation. By clarifying key concepts – such as the scope of scientific research, the operation of the presumption of compatibility, and the conditions for valid consent – the Guidelines offer a more structured framework for compliance.
Nevertheless, they do not resolve the fundamental tensions inherent in the GDPR’s approach. In particular, significant limitations on the secondary use of personal data remain, and this continues to pose a substantial challenge. Moreover, the need to navigate national derogations means that a fully harmonised regulatory landscape is still some way off.
Therefore, while the Guidelines provide helpful direction, they do not eliminate the need for robust, case-by-case legal analysis and carefully designed governance frameworks. Organisations that can combine regulatory compliance with pragmatic, well-documented decision-making processes will be best positioned to leverage the opportunities offered by data-driven research while effectively managing residual legal risks.