Processing Personal Data for Scientific Research — What the New EDPB Guidelines Clarify

On 16 April 2026, the European Data Protection Board (EDPB) adopted Guidelines 1/2026 on the processing of personal data for scientific research purposes. The document has been opened for public consultation — the deadline for comments is 25 June 2026.

These are among the most significant EDPB guidelines for the research sector since the GDPR entered into force. They address questions that have generated practical uncertainty for years: when controllers can rely on broad consent, what dynamic consent means, how to apply the derogations under Article 89 GDPR, and what qualifies as a “scientific purpose” under the regulation.

Why These Guidelines Are Needed

The GDPR treats scientific research in a specific way. Article 5(1)(b) considers further processing for scientific research purposes as compatible with the original purpose of collection (the so-called compatibility presumption). Article 89 introduces safeguards and derogations from certain data subject rights where processing is carried out for research purposes.

The problem was that these provisions were applied inconsistently across the EU. Universities, research institutes, pharmaceutical companies, and hospitals interpreted them differently — often either too restrictively (blocking valuable research) or too liberally (invoking “scientific purpose” to justify any processing).

What the Guidelines Cover

Definition of Scientific Research

The EDPB clarifies that “scientific research” under the GDPR covers research conducted by academic institutions, research institutes, and clinical hospitals, but also by private entities — provided the research meets the methodological and ethical standards recognised in the relevant field. Simply labelling an activity as “research” is not sufficient.

Broad Consent

This is one of the key concepts in the guidelines. The EDPB confirms that controllers may rely on broad consent where research purposes are not fully known at the time of collecting personal data.

Conditions for using broad consent:

• consent must cover a defined research area or discipline (e.g., “neurodegenerative disease research”), not any future purpose
• the controller must apply additional safeguards to compensate for the lack of full purpose specification — such as pseudonymisation, access controls, ethics committee oversight
• the data subject must be able to withdraw consent at any time

Dynamic Consent

The EDPB introduces dynamic consent as an alternative or complement to broad consent. Under this model, the controller contacts individuals to consent to participation in a specific research project once the purposes of that project become known. A combination of both models is also possible — broad consent at the data collection stage, and dynamic consent when specific projects are launched.

Further Processing for Research (Article 5(1)(b))

The EDPB clarifies that the compatibility presumption in Article 5(1)(b) means controllers are not obliged to carry out a purpose compatibility test when further processing data for scientific research purposes. However:

• the legal basis of the original processing must also be suitable for the further processing for scientific research purposes
• the controller must apply safeguards under Article 89(1) — in particular pseudonymisation or other technical measures minimising the risk of identification

Data Subject Rights

The guidelines clarify how to apply the derogations from rights under Article 89(2) GDPR. Member states may provide in national law for derogations from the right of access, the right to rectification, the right to restriction of processing, and the right to object — but only where:

• the derogation is proportionate
• appropriate safeguards are in place
• exercising the right would render impossible or seriously impair the achievement of the research purposes

What This Means in Practice

For Universities and Research Institutes

The guidelines provide a clearer basis for using broad consent in biorepositories, clinical databases, and longitudinal studies. Key point: using broad consent does not exempt the controller from the information obligation — data subjects must know in which research area their data will be used.

For Clinical Research and Pharmaceutical Companies

Dynamic consent may be a practical solution where a study sponsor wants to use clinical trial data for further analyses. The guidelines confirm this is a permissible model — provided transparency and safeguard requirements are met.

For DPOs

The guidelines give DPOs clearer criteria for assessing whether internal teams invoking “scientific purpose” are justified. If the activity does not meet the methodological and ethical standards of the relevant field — it does not qualify as scientific research under the GDPR.

Public Consultation

Comments on Guidelines 1/2026 may be submitted on the EDPB website until 25 June 2026. After the consultation, submissions will be published and the guidelines may be modified before final adoption.

Summary

EDPB Guidelines 1/2026 provide practical clarifications on processing personal data for scientific research — including rules for using broad consent and dynamic consent, conditions for further processing without a purpose compatibility test, and rules for restricting data subject rights. The public consultation runs until 25 June 2026. For organisations conducting research or collaborating with the research sector — this is a document worth reading before it is finalised.

Source: EDPB | Public consultation

FAQ