EDPB Issues New Guidelines on Scientific Research Data Processing

The European Data Protection Board (EDPB) has released its Guidelines 1/2026 on processing personal data for scientific research purposes, providing much-needed clarity for researchers and institutions navigating the intersection of scientific advancement and data protection requirements under the General Data Protection Regulation (GDPR).

The guidelines address a critical tension in modern research: how to balance the legitimate needs of scientific inquiry with the fundamental rights of data subjects. With the exponential growth of data-driven research across fields from medicine to social sciences, the EDPB recognized the need for specific guidance on applying GDPR principles in research contexts.

Key Clarifications on Scientific Research Exemption

One of the most significant aspects of the guidelines is the detailed explanation of Article 89(1) GDPR, which provides for derogations for scientific research purposes. The EDPB clarifies that "scientific research purposes" should be interpreted broadly, encompassing fundamental research, applied research, privately funded research, and research conducted by private companies.

The guidelines establish that processing personal data for scientific research is permitted when:

• The research serves a public interest purpose
• Appropriate safeguards are in place to protect data subjects' rights
• The processing is necessary for the research objectives
• Data minimization principles are respected

Pseudonymization as a Key Safeguard

The EDPB places particular emphasis on pseudonymization as a critical technical and organizational measure. The guidelines explain that pseudonymized data can benefit from certain exemptions from data subjects' rights under Article 11 and Recital 28, provided that the pseudonymization is effective and that additional information required to re-identify individuals is kept separately with appropriate technical measures in place.

"Pseudonymization is not just a recommendation but a requirement when processing personal data for scientific research," the guidelines state, adding that researchers should implement pseudonymization from the earliest stages of data collection and processing.

Consent and Alternative Legal Bases

The guidelines provide detailed guidance on when consent can serve as a legal basis for research data processing and when alternative bases might be more appropriate. While consent remains a valid option, the EDPB acknowledges situations where obtaining consent may be impractical or impossible, such as retrospective research on existing datasets.

In such cases, the guidelines outline when researchers can rely on other legal bases, including:

• Processing necessary for scientific research in the public interest
• Processing based on Union or Member State law that provides appropriate safeguards
• Processing for archiving purposes in the public interest

Data Retention and Deletion

Specific provisions address data retention periods for research purposes. The EDPB clarifies that while GDPR generally requires data to be kept no longer than necessary, research data may be retained for longer periods when necessary for scientific purposes, provided appropriate safeguards are in place.

The guidelines recommend that research institutions establish clear data retention policies that balance the potential future utility of data against privacy risks, with regular reviews of whether continued retention is justified.

Practical Implementation Steps

To assist organizations in implementing these guidelines, the EDPB provides a practical checklist covering:

1. Assessment of necessity: Determining whether personal data is truly necessary for the research objectives
2. Selection of appropriate safeguards: Implementing technical and organizational measures appropriate to the risk level
3. Documentation requirements: Maintaining records of processing activities and risk assessments
4. Data subject information: Providing clear, accessible information about how personal data will be used
5. Security measures: Implementing appropriate technical and organizational security measures

Impact on Different Research Sectors

The guidelines have particular implications for several research sectors:

Medical and Health Research: The guidelines provide specific considerations for health data processing, acknowledging the sensitive nature of health information while recognizing its critical importance for medical advancement.

Social Science Research: Special attention is given to the challenges of pseudonymizing qualitative data and the need for careful consideration of re-identification risks in social research.

AI and Machine Learning Research: The guidelines address the unique challenges of using personal data in AI training datasets, emphasizing the need for careful documentation of data sources and processing purposes.

Compliance Timeline and Next Steps

While the guidelines are immediately applicable, the EDPB recommends that research institutions conduct a comprehensive review of their data processing activities within six months to ensure alignment with the new guidance. Data protection officers and research ethics committees should work together to implement necessary changes to research protocols and data handling procedures.

Looking Forward

The release of these guidelines represents a significant step toward harmonizing data protection requirements with scientific research needs across the EU. By providing clear, practical guidance, the EDPB aims to reduce uncertainty and compliance burdens while maintaining robust protection for data subjects.

Research institutions and organizations processing personal data for scientific purposes should:

• Review their current data processing activities against the new guidelines
• Update research protocols and data protection impact assessments
• Implement or enhance pseudonymization measures where appropriate
• Ensure appropriate documentation of legal bases and safeguards
• Provide training to researchers on the new requirements

The full guidelines document is available on the EDPB website and includes detailed examples and case studies to assist organizations in practical implementation.