The EDPB’s new scientific research guidelines: a welcome route map, but no shortcut for “research” by assertion

The European Data Protection Board’s Guidelines 1/2026 on processing of personal data for scientific research purposes, adopted on 15 April 2026 in a version for public consultation, deserve close attention well beyond academia. They matter to pharmaceutical companies, healthtech and medtech businesses, AI developers, public sector research bodies, data-rich corporates, and, perhaps above all, to legal counsel who are asked to decide whether a project can properly sit within the GDPR’s research framework. The Guidelines do not shut the door on innovation. In many respects, they do the opposite. But they make one point with real force: the GDPR gives room to genuine scientific research, not to anything a business chooses to describe as “research” after the event.

The first question is no longer “is this innovative?”

For many clients, the instinctive starting point is still the wrong one. A project team says it is testing a model, exploring data, running a pilot, or generating insight. Everyone in the room agrees that it feels innovative, data-driven and socially useful. The legal analysis then risks becoming too sympathetic too early.

The EDPB pushes against that instinct. It accepts that scientific research should be interpreted broadly and may include technological development, demonstration, applied research and privately funded research. It also accepts that private entities and profit-making organisations may carry out scientific research. But the Board immediately adds the qualification that matters most in practice: the concept may not be stretched beyond its common meaning, and the controller must be able to substantiate and demonstrate that the processing really is for scientific research purposes. In other words, innovation helps, but it does not decide the question.

That is likely to become the most useful discipline point for legal teams. The right opening question is not, “Can we call this research?” It is, “What makes this genuinely scientific?” If the answer is thin, the rest of the GDPR analysis will not rescue the project.

The six-factor test will become the real gateway

The Guidelines are at their strongest when they move from abstraction to structure. The EDPB sets out six key indicative factors for determining whether processing is motivated by scientific research purposes: a methodical and systematic approach; adherence to ethical standards; verifiability and transparency; autonomy and independence; an objective of contributing to society’s general knowledge and wellbeing; and the potential to contribute to existing scientific knowledge or apply it in novel ways. Where those factors are present, the activity can be presumed to amount to scientific research. Where they are not, the controller must justify why the project should nonetheless be treated that way.

This is more than a neat summary. In practice, it is a challenge framework for legal counsel.

Take a straightforward example. A pharmaceutical company runs a clinical trial for a rare disease. It appoints qualified researchers, works to a research plan, follows good clinical practice, obtains ethical review, and intends to publish the results. That project looks scientific because it behaves scientifically. The same is true of the EDPB’s example of an AI start-up working with a university partner on bias in generative AI models, subject to ethical review and public dissemination of results. The commercial dimension does not disqualify either project, because the commercial dimension does not crowd out the scientific one.

Now compare that with a more familiar corporate scenario. A retail business analyses customer purchases, visit frequency and return behaviour to refine its marketing strategy. The work is analytical. It may even be sophisticated. But the EDPB says it is not scientific research. Why not? Because it lacks the elements that matter: no real scientific contribution, no publication, no independent review, no autonomy from commercial objectives, and no broader contribution to collective knowledge. That example will land uncomfortably in many boardrooms, because a good deal of what businesses call R&D or behavioural research looks much closer to that retail example than to a clinical trial or a structured AI study.

The private sector is in scope, but it has to earn its place

One of the more helpful aspects of the Guidelines is their refusal to treat scientific research as something owned by universities or public bodies. For clients in the life sciences, digital health, AI and advanced technology sectors, that is good news. The EDPB openly recognises that scientific research may be carried out by private and for-profit organisations. That point matters because some businesses have long suspected that the GDPR’s research provisions were written with public research institutions in mind and only reluctantly applied to commercial actors. The Guidelines are more realistic than that.

But commercial actors should not misunderstand the concession. The EDPB is not saying that private companies get special tolerance because they innovate. It is saying that private companies can qualify if they can show the same things that would be expected in any serious research setting: method, qualified researchers, transparency, ethical discipline, and a genuine knowledge objective. That means legal counsel advising private clients should focus less on defending the label and more on pressure-testing the structure. Who formulated the research question? Who reviews the design? What is the publication or dissemination plan? What makes the work verifiable? What protects the researchers’ independence from purely commercial pressure? Those questions will matter much more now.

Compatibility helps, but it does not finish the job

Many clients will focus immediately on one of the Guidelines’ more useful statements, namely that further processing for scientific research purposes is presumed compatible with the initial purpose under Article 5(1)(b) GDPR. This is helpful. It means controllers do not need to carry out the Article 6(4) compatibility test each time they move from an original processing purpose to a scientific research purpose. For organisations seeking to re-use data sets, research repositories or existing operational data, that will sound like a welcome simplification.

But the EDPB is careful, and legal counsel should be too. Compatibility is not the same as lawfulness. The Board says so expressly. A controller may not need the compatibility test, but it must still decide whether it has a valid Article 6 basis for the research processing and, where relevant, a valid Article 9 condition for special category data. In many cases the same legal basis may still work, particularly where the original processing already rested on public interest or legitimate interests. In other cases, especially where the original basis was consent or legal obligation, the answer may be different.

The EDPB’s social media dialect example shows how this should work in practice. A research institute collects publicly accessible personal data for one language project, then later wants to use the same data in a new project to build an app and study writing improvement over time. The institute does not need the compatibility test again. But it still assesses lawfulness and still relies on legitimate interests only after considering the societal value of the research and implementing safeguards. That is exactly the kind of discipline legal counsel should insist on. Re-use becomes easier, not casual.

Storage limitation still has teeth

Retention is another area where clients may be tempted to over-read the Guidelines. Yes, the EDPB confirms that personal data may be stored for longer periods for scientific research purposes, including where future research projects are envisaged. That will be important for biobanks, patient registries, longitudinal studies, research platforms and carefully built data repositories.

But the Board also draws a very clear boundary. Storage for generic future scientific research, without any meaningful specification of purpose, cannot be justified. If a future project is not yet fully specified, the controller may define a certain area of research. Even then, the future scientific activities must be reasonably foreseeable, the controller must be able to substantiate how the data may be used in future projects, and it must assess what categories of data are still necessary to retain. It must also review that necessity over time, including whether the data should now be anonymised or pseudonymised.

That point will be particularly relevant to clients who want to build “research data lakes”. A data lake is not a lawful retention rationale by itself. Legal counsel should push for a more exact answer: what research area, what likely future uses, what data categories, what review cycle, and why are identifiable or pseudonymised data still needed?

Broad consent is possible, but only with real governance

The Guidelines are also pragmatic on consent. The EDPB accepts both broad consent and dynamic consent in the research context. Broad consent may work where the exact future purposes are not yet fully known, provided the consent relates to a defined area of scientific research and the controller puts in place additional safeguards. Dynamic consent remains available where data subjects are asked to consent to particular projects or stages as they become concrete. The Board even contemplates combining both approaches.

That is a practical gift to organisations whose research pathways evolve over time. But it is not a drafting shortcut. The Guidelines are explicit that broad consent does not allow controllers to avoid purpose specification altogether. It is not enough simply to say that data will be used for “scientific research”. The purposes of future research must be defined as clearly as possible. The controller must assess whether later projects still fall within that research area and within the reasonable expectations of the data subjects. If they do not, fresh consent will be needed.

This is where legal advice becomes operational. A client that says it relies on broad consent should be asked how it tracks later projects against the original consent scope. Does it publish project updates? Does it give participants an accessible way to follow developments? Has it built an oversight body, independent review mechanism, or data trustee model? The EDPB specifically points to measures such as webpage updates, newsletters, use and access controls, time-limited consent validity, and independent oversight bodies. In other words, broad consent is not “broad” because governance is relaxed. It is broad because governance is stronger.

Legitimate interests remain available, but only for serious projects

The Board’s treatment of legitimate interests is likely to be one of the most cited parts of the Guidelines. The EDPB confirms that scientific research can amount to a legitimate interest regardless of whether the research is non-profit or commercial. It also says that the significant societal interest in conducting scientific research can carry significant weight in the balancing test. That is a valuable clarification for private sector clients, especially where consent is fragile and public-interest legal bases are unavailable.

Still, this is not an invitation to use legitimate interests as a fallback for anything that sounds worthy. The weight given to the balancing test depends on the project being genuine scientific research in the GDPR sense and on appropriate safeguards being in place. The Board also expects controllers to consider data subjects’ reasonable expectations and, where necessary, adopt further safeguards if the first set is not enough. If sufficient mitigating measures cannot be taken, legitimate interests will not do the job.

That makes the practical message quite simple. Legitimate interests are stronger after these Guidelines, but only for clients willing to do the hard work first.

Safeguards are not the footnote. They are the structure.

If one theme runs through the whole document, it is the centrality of safeguards under Article 89(1). The EDPB repeatedly stresses that research flexibilities are tied to protective measures. Anonymised data should be used where possible. If anonymisation is not possible, pseudonymisation should be used. Directly identifying data should be processed only where that is strictly necessary and proportionate. Controllers should also consider secure processing environments, ethical or independent oversight, privacy-enhancing technologies, confidentiality arrangements, publication controls and conditions on further use.

This matters because clients often present safeguards as the tail end of the analysis. The Guidelines treat them as the engine room. A good research project is not one that identifies a legal basis first and worries about controls later. It is one that embeds those controls from the outset.

Role allocation will be a pressure point in collaborations

Finally, the Guidelines will be particularly useful in collaborative settings. The EDPB stresses that where several entities are involved in scientific research, responsibility must be assessed and documented. That point is especially important in public-private partnerships and in any project where multiple parties help shape the protocol or the data environment.

This is where many real projects still become untidy. The university assumes the company is the controller. The company assumes the hospital is. The platform provider calls itself a processor but in fact shapes the research architecture. The arrangement muddles through until a data subject rights request arrives or a regulator asks for the role analysis. The Guidelines are a timely reminder that those questions should be answered at the beginning, not improvised at the end.

A final thought

The real value of the Guidelines is that they sharpen the quality of the questions lawyers should ask. Not, “Is this interesting?” Not, “Could this be useful?” Not even, “Would the client like this to count as research?” The better questions are harder and more useful. What exactly is the research objective? What makes the work scientific? Where is the method? Where is the independent oversight? Which legal basis truly fits? Why these data? Why for this long? Why in this format? And what safeguards are doing the real protective work?

Clients who can answer those questions well now have a clearer route through the GDPR. Clients who cannot will find that the EDPB has made one thing much harder: hiding ordinary commercial analytics behind the vocabulary of science.