Processing Personal Data for Scientific Research

A context that calls for clarity

Science has long been recognised under EU law as a value that benefits society. The General Data Protection Regulation (GDPR) reflects this by allowing a degree of flexibility where data are used exclusively for scientific research purposes, such as the possibility of storing them for longer periods or reusing them for related projects. Yet the development of new technologies and the expansion of cross-border research have raised questions about the scope of those exceptions. Which activities can benefit from the research regime? How should participants be informed when the object of a study evolves? Which measures minimise the risk of re-identification? In response to these questions, the European Data Protection Board (EDPB) adopted Draft Guidelines 1/2026 on 15 April 2026 with the aim of harmonising approaches and, once the Public Consultation is over, providing a reference point for supervisory authorities.

What is meant by scientific research?

The GDPR does not define "scientific research"; the guidelines fill that gap by describing six features which, taken together, give rise to a presumption that an activity amounts to scientific research: (1) a methodical and systematic approach; (2) adherence to ethical standards and research integrity; (3) verifiability and transparency of results; (4) autonomy and independence in the choice of means and ends; (5) a contribution to knowledge and societal well-being; and (6) the potential to contribute to existing scientific knowledge or apply it in novel ways. Where all these elements are present, the use of data can benefit from the flexibilities provided for by the GDPR.

The EDPB also clarifies that research data infrastructures, such as biobanks, imaging banks or genetic repositories, may themselves amount to scientific research where their design reflects those six factors. It also notes that ancillary processing operations —recruiting participants, curating data sets or pseudonymising information— may fall within the notion of scientific research where they pursue a clear scientific objective.

Having identified the features that distinguish scientific research, the next question is how they fit within the structure of the GDPR.

From defining the purpose to managing time

Once an activity has been identified as scientific, the next step is to comply with the basic principles of the GDPR. The principle of purpose limitation prevents data from being reused for purposes that are incompatible with those for which they were originally collected. Article 5(1)(b), however, introduces a presumption of purpose compatibility: the further processing of personal data for scientific research purposes is generally lawful and does not require a separate compatibility test where the scientific purpose is maintained.

That presumption applies only where the processing remains limited to scientific research purposes. If a project shifts towards commercial uses or goes beyond the scope of the original consent, a compatibility assessment will be required and, where appropriate, a new legal basis may have to be identified.

Another key issue is the management of time. The GDPR allows controllers to store personal data for longer periods where they are processed for scientific research purposes and appropriate safeguards are in place. The guidelines therefore urge controllers to set concrete retention periods, or at least clear criteria, and to review them periodically, avoiding indefinite retention. Keeping personal data after the end of a study may be justified in order to verify results or support follow-on projects, but that retention must be properly justified.

Legal bases: consent, public interest and legitimate interest

Following purpose and timing comes the analysis of the legal basis. The guidelines identify three main legal bases for research and remind controllers that, where health data, genetic data or other special categories of personal data are involved, an Article 9 condition must also be relied upon.

1. Broad consent. Broad consent may be sought for future projects that cannot yet be fully described, provided that the area of research is sufficiently delimited. It is not enough to refer in general terms to “scientific research”; the field or expected objective must be specified. Before each specific project begins, the controller should verify whether it falls within that broad consent and, if it does not, obtain additional consent. In other words, dynamic consent. Because broad consent is less specific, the guidelines recommend keeping participants informed and putting external oversight in place.
2. Public interest or exercise of official authority. Article 6(1)(e) GDPR allows processing where a law or administrative act entrusts an entity with a public-interest task. The relevant measure must be clear, necessary and proportionate. In the healthcare field, sector-specific rules are expected to specify safeguards in greater detail.
3. Legitimate interest. Scientific research may also be based on the legitimate interests of the controller or a third party, provided that the societal value of the research is weighed against the rights and reasonable expectations of the individuals concerned. Appropriate measures must be taken to mitigate risks. Public authorities cannot rely on this legal basis in relation to processing carried out in the performance of their public tasks. Where special categories of personal data are involved, the relevant Article 9 condition and any applicable national requirements will also shape the analysis.

Transparency and data subject rights

Once the legal basis has been identified, controllers must turn to transparency. The guidelines make clear that participants should know who is processing their personal data, for what purpose, for how long, and how they may exercise their rights. In long-term studies, it is advisable to collect contact details so that participants can be kept informed of developments and changes. Information may be provided through written notices, websites or applications, and should include a contact point for queries.

Where personal data are obtained from other sources, the individuals concerned must still be informed unless doing so is impossible or would seriously impair the research objective. Any material change —for example, the inclusion of new categories of data or new partners— must be communicated in good time.

Participants retain their rights to erasure and to object, although the GDPR provides for specific exceptions in the research context. A controller may refuse an erasure request where deletion would make the research impossible or seriously impair it and where appropriate safeguards are in place. Likewise, an objection may be overridden where the controller can demonstrate that the processing is necessary for a task carried out in the public interest or that its legitimate interest prevails and coincides with that public interest. Derogations under Article 89(2) and national laws make it possible to adapt those rights to the scientific context.

The handling of these rights is closely connected to the allocation of responsibility and to the technical and organisational measures that underpin trust in scientific research.

Responsibilities and safeguards: a bridge towards trust

In addition to principles and legal bases, data protection requires a clear allocation of responsibilities. Where several entities jointly determine the purposes and means of a study —as is often the case in research consortium— they act as joint controllers and should document and communicate their respective responsibilities so that participants know whom to contact.

Appropriate safeguards are the other pillar that makes it possible to rely on the flexibilities of Article 89(1). The EDPB insists on data minimisation: anonymised or pseudonymised data should be used wherever possible, and directly identifying data should be processed only where strictly necessary. Projects should also be subject to independent ethical oversight. Secure processing environments make it possible to analyse information without copying or downloading it, thereby reducing the risk of disclosure. Technologies such as pseudonymisation, encryption and differential privacy can further mitigate risk.

As we noted in our earlier Post | Pseudonymised data in clinical trials, pseudonymisation reduces the risk of re-identification but does not remove the personal nature of the data where a re-identification key exists. The draft guidelines reinforce that point. Controllers should therefore combine pseudonymisation with contractual protections, robust governance and publication criteria that prevent the identity of participants from being revealed.

Practical implications for the life sciences sector

For the life sciences sector, the guidelines translate into concrete practices. Sponsors of clinical trials should rely on robust methodologies and ensure that protocols are reviewed by ethics committees. Where broad consent is used, the scope of the research must be clearly delimited and participants should be kept informed so that dynamic consent can be sought as projects evolve. Biobanks must define who can access samples and ensure that processing takes place in secure environments. In multinational projects, it is essential to identify joint controllers and agree transfer conditions that comply with data protection rules.

A horizon of participation

The public consultation on Guidelines 1/2026 remains open until 25 June 2026. This creates an opportunity for pharmaceutical companies, university hospitals, patient organisations and other stakeholders to submit comments. Those observations may influence the final version of the guidelines and the future interpretation of the GDPR in the research context.

Pending that final version, life sciences organisations can already begin to review their projects in light of the draft. It is useful to verify whether activities meet the six characteristics that identify scientific research, to choose the appropriate legal basis and, where relevant, the Article 9 condition, to update privacy notices so that participants understand the purpose and duration of the processing, to establish communication channels and procedures for handling erasure and objection requests, to allocate responsibilities among partners, and to implement safeguards such as pseudonymisation and secure processing environments. In short, a proactive approach to data protection not only facilitates compliance but also helps to build trust, a necessary condition for scientific research to thrive and continue delivering benefits to public health.

For more information, please contact our specialists through the Knowledge and Innovation Area.