I have now waded through all 66 pages of the European Data Protection Board’s draft guidelines on scientific research, and here’s a brief(?) download:
- The EDPB proposes six key indicators for what constitutes “scientific research”:
- a methodological and systematic approach, e.g. following a comprehensive research plan;
- adherence to ethical standards;
- verifiability & transparency (i.e. allowing peer review);
- autonomy & independence for the research team, e.g. to define their own research questions;
- the aim of the research is to contribute to the growth of society’s general knowledge & well-being; and
- the activities have the potential to contribute to existing scientific knowledge or apply it in novel ways. You don’t have to meet all the factors – but the fewer you hit, the harder it will be to claim your activity is scientific research.
- The guidance is clear that scientific research can be for-profit and on a commercial basis.
- There’s nothing on technological development. Which is a big gap, IMHO, given that “product development” (especially medtech) is where a lot of the uncertainty lies.
- There’s a surprising emphasis on consent, with not much concern about the “freely given” element for patients needing medical treatment. This is something of a departure from their position in the 2019 guidance on clinical trials.
- The guidance introduces helpful concept of a “broad consent” (i.e. covering broad research purposes) and a “dynamic consent” (i.e. that can change over time).
- The guidelines confirm that scientific research is a legitimate interest, and can be of “significant weight” in the balancing test. Which is definitely good news for those of us who are still nervous relying on consent (not least because it can be withdrawn).
- The EDPB go big on ongoing transparency as the research evolves. They even suggest controllers should make reasonable efforts to acquire contact details for participants, if they don’t have them already. This seems somewhat at odds with Art 11 GDPR.
- However, there is some helpful stuff on “disproportionate effort” in Art 14, where controllers are allowed to take into account: (1) a high number of data subjects; (2) difficulties finding contact details; and (3) the age of the personal data (e.g. if it is 10+ years old).
- Erasure requests must be assessed based on the individual circumstances of each request – so no blanket refusals.
- Joint controllers: the fact that an organisation provides funding or is “consulted” in drafting a research protocol is not alone sufficient to make it a joint controller. But later in the guidance “participating jointly in the drafting of the research protocol” could well be.
There’s more to say, but I’m going to leave it there. But would be interested in others' thoughts!
/Passle/5f3d6e345354880e28b1fb63/MediaLibrary/Images/2025-09-29-13-48-10-128-68da8e1af6347a2c4b96de4e.png)
/Passle/5f3d6e345354880e28b1fb63/MediaLibrary/Images/2025-07-10-13-52-35-189-686fc5a39f23a993118ba1a0.png)
/Passle/5f3d6e345354880e28b1fb63/SearchServiceImages/2026-04-16-11-28-12-474-69e0c7ccbc02875e3a00b506.jpg)
/Passle/5f3d6e345354880e28b1fb63/SearchServiceImages/2026-04-15-13-51-29-861-69df97e159169cd79419c0f5.jpg)