03

Immagine creata con IAAI-generated image

Scientific research and the GDPR: the EDPB’s Guidelines 1/2026 bring clarity, but the puzzle is not complete

On 15 April 2026 the European Data Protection Board adopted Guidelines 1/2026 on the processing of personal data for scientific research purposes, put out for public consultation until 25 June 2026. Six key factors to qualify research, a presumption of compatibility of secondary use, and openness to so-called broad consent: a long-awaited piece of the puzzle. But are the practical uncertainties really overcome?

The relationship between scientific research and data protection has always been one of the most rugged territories of the GDPR. The European legislator handed interpreters a special regime — Articles 5(1)(b), 9(2)(j) and 89 — whose concrete perimeter was largely left to national laws, with a level of harmonisation that is anything but satisfactory. Into this context come the EDPB’s Guidelines 1/2026 “on processing of personal data for scientific research purposes”, adopted on 15 April 2026 in a public-consultation version open from 16 April to 25 June 2026. The Italian Authority also contributed to the drafting. This seems the right place to try to clarify the framework of the Guidelines, pending the final version.

The special research regime in the GDPR

It is worth recalling the normative coordinates. Article 5(1)(b) provides that personal data be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes”. Article 89(1) requires “appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject”, ensuring technical and organisational measures, in particular to guarantee respect for the principle of data minimisation. As to special categories, Article 9(2)(j) allows processing where “necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1)”. Finally, Recital 159 clarifies that the notion is to be understood “in a broad manner”, including technological development and demonstration, fundamental research, applied research and privately funded research.

The notion of scientific research: the six key factors

The first knot addressed by the EDPB is definitional: what, really, is “scientific research”? The Guidelines identify six indicative key factors: a methodical and systematic approach, adherence to ethical standards, verifiability and transparency, autonomy and independence of the research, the objectives pursued and the potential contribution to scientific knowledge. As the document states, “the guidelines present six key-indicative factors that should be considered […]. If the research activities meet these six factors, they can be presumed to constitute scientific research”. The presumptive mechanism thus operates in favour of a controller who satisfies the six factors; otherwise, the burden of justifying the scientific nature of the activity falls on the controller.

Secondary use: the presumption of compatibility

The second pillar is the presumption of compatibility of further processing: “further processing for scientific research purposes is presumed to be compatible with the initial purpose for collecting the personal data. Therefore, a controller that further processes personal data for scientific research purposes does not have to do the purpose compatibility test under the GDPR”. This is crucial: the re-use of data for research is relieved of the compatibility test, but not freed from the need for a suitable legal basis, nor from the Article 89(1) safeguards. Simplification, in other words, is not deregulation.

Legal bases: broad consent, public interest, legitimate interest

On legal bases, the Guidelines offer openings of undoubted practical relevance. First, so-called broad consent is recognised: “it is possible for controllers to rely on the consent of a data subject to collect and process personal data in a certain area of scientific research (so-called broad consent)”, also combined with dynamic-consent modules. Second, public interest may be invoked even by private entities, where covered by the relevant legal act. Third, as to legitimate interest, the EDPB recognises that “scientific research can be a legitimate interest under the GDPR, regardless of whether the research is undertaken on a non-profit or commercial basis”. As to data subjects’ rights, the limitations are circumscribed: for the right to erasure, the exception “only applies if the right to erasure is likely to render impossible or seriously impair the objective of conducting scientific research and if the controller has adopted appropriate safeguards”.

The Article 89 safeguards

As to safeguards, the Guidelines give priority to minimisation techniques: “in line with the principle of data minimisation, anonymised — or alternatively pseudonymised data — should be used for scientific research, as long as the purposes of processing can be fulfilled using such data”. To this are added independent ethical supervision, secure processing environments, privacy-enhancing technologies and confidentiality agreements, as well as the duty to assess and document the allocation of roles in multi-actor protocols and public-private partnerships.

Critical issues: the uncertainties that remain

Notwithstanding the Board’s stated aim of facilitating innovative research, the picture cannot be said to be definitively settled. First, the lack of operational standardisation of the safeguards: anonymisation, PETs and secure environments remain referred to in general terms, without uniform technical criteria. Second, the residual national fragmentation, in an area where the GDPR leaves Member States wide margin of manoeuvre. Finally, the power asymmetries in healthcare settings and public-private partnerships, which call into question the actual freedom of consent and the operational sustainability of large-scale dynamic consent.

Conclusions

Guidelines 1/2026 represent an awaited and, in many respects, welcome piece: the broad notion of research, the presumption of compatibility and the openings on so-called broad consent give operators coordinates that are at last common. The final version, following the consultation closed on 25 June 2026, will tell whether stakeholders’ observations have been heard. In the light of the above, one wonders whether the new interpretive framework will truly reduce the fragmentation that still divides national laws, or whether, absent uniform technical criteria on the Article 89 safeguards, the margin of manoeuvre left to the Member States will continue to produce uneven regimes, precisely on the most delicate terrain of health data, biobanks and the training of artificial-intelligence systems.