The European Data Protection Board (EDPB) released Guidelines 1/2026 on April 15, 2026, introducing a six-factor test to define "scientific research" under the General Data Protection Regulation (GDPR). Organizations must now evaluate methodical approach, ethical standards, verifiability, independence, societal contribution, and knowledge advancement. The public consultation closes June 25, 2026.
If your app, SaaS platform, or research tool has been claiming the research exemption to skip consent or delay erasure requests, these guidelines just raised the bar. Supervisory authorities are already using this framework to assess compliance.
What qualifies as scientific research under GDPR?
Six-factor test for GDPR scientific research qualification
The EDPB now requires organizations to evaluate six key indicative factors to determine if processing qualifies as scientific research: a methodical and systematic approach, adherence to ethical standards, verifiability and transparency, autonomy and independence, objectives contributing to society's knowledge and well-being, and potential to contribute to or apply scientific knowledge in novel ways. If all six factors are met, the activity is presumed to be scientific research. Miss any factor, and you need documented justification for why your processing still qualifies.
The problem? Many commercial data practices labeled "research" fail the verifiability, independence, and transparency tests. The EDPB explicitly warns that scientific research "may not be stretched beyond its common meaning"—meaning your product analytics, A/B testing, and market research probably don't count, even if you publish white papers.
How does the compatibility presumption actually work?
The GDPR's Article 5(1)(b) compatibility presumption has always been misunderstood. The EDPB now clarifies that further processing for scientific research is presumed compatible with the original purpose—skipping the compatibility assessment—but you still need a valid legal basis for that further processing. Controllers originally relying on consent can't automatically reuse data for new research projects unless the new purpose falls within the original consent's scope or they obtain new consent.
The guidelines confirm that retention for "unspecified future research" is not permitted. Future research must be reasonably foreseeable and tied to a defined research area. Translation: your "we might use this for research someday" privacy policy won't survive scrutiny. If you're building data lakes for exploratory analytics without specific research questions, expect enforcement action.
Can you still use broad consent for research?
Yes, but with guardrails. The EDPB confirms that controllers may rely on broad consent where research purposes aren't fully known at data collection time—provided the consent covers a defined research area (e.g., "neurodegenerative disease research") and appropriate safeguards like pseudonymization, access controls, and ethics committee oversight are in place. "Research in general" is explicitly insufficient.
Dynamic consent—where controllers ask for consent to specific projects as purposes become known—is also permitted, and the guidelines allow combinations of broad and dynamic consent. But the transparency chapter is more demanding than many realize: the EDPB expects long-term research controllers to implement continuing transparency through dashboards, dedicated websites, and proactive updates when processing evolves.
What happens to data subject rights in research contexts?
The Article 89 derogations—allowing limitations on erasure and objection rights for scientific research—must now be interpreted restrictively and applied case-by-case. You can't assume blanket exemptions. Each limitation must be justified, documented, and defensible based on whether honoring the request would render the research impossible or seriously impair its objectives.
For SaaS companies processing user data in research partnerships or academic collaborations, this creates compliance friction. If a user exercises their right to erasure, you need documented evidence that deleting their data would break the scientific validity of an ongoing study—not just that it would be inconvenient. Controllers using the disproportionate effort exemption to skip direct notifications must now conduct granular, case-by-case assessments considering data subject count, data age, safeguards, and individual impact.
Does commercial research still qualify?
The guidelines confirm that scientific research may be conducted by private entities and may be profit-oriented, as long as it meets the methodological and ethical standards of the relevant field. Pharmaceutical clinical trials are explicitly cited as qualifying. However, translational research, proprietary model development, and real-world evidence generation face higher scrutiny if they don't map cleanly onto the verifiability, publication, and independence factors.
The EDPB acknowledges that trade secrets and intellectual property may limit openness, but controllers must still demonstrate genuine scientific purposes. If your data processing is primarily for product optimization, competitive intelligence, or user profiling—even if it generates insights you publish—it likely fails the test. Simply labeling an activity "research" is not sufficient.
What should you do before the guidelines finalize?
If your platform claims scientific research exemptions, scan your site for compliance gaps now. Map your processing activities against the six-factor framework and document your justifications. Review your consent mechanisms—if you're relying on broad consent, ensure it defines a specific research area and implements Article 89(1) safeguards like pseudonymization and access controls. Audit your data retention policies to confirm future research is reasonably foreseeable and tied to defined purposes.
Reevaluate joint controller arrangements in research collaborations. The guidelines emphasize that entities actively shaping research protocols or essential processing means are controllers or joint controllers—not processors. Your contract templates may need revision. And if you're invoking the disproportionate effort exemption to skip transparency obligations, document your case-by-case assessments and implement alternative measures like public notices.
The consultation closes June 25, 2026, but supervisory authorities are already treating this as interpretive guidance. Once finalized, these guidelines will shape enforcement across all EU member states. The era of vague "we use your data for research purposes" disclosures is over.
Frequently Asked Questions
What are the six factors the EDPB uses to define scientific research under GDPR? The EDPB requires: methodical and systematic approach, adherence to ethical standards, verifiability and transparency, autonomy and independence, objectives contributing to societal knowledge, and potential to contribute to or apply scientific knowledge in novel ways. Meeting all six creates a presumption of scientific research.
Can I still reuse personal data for scientific research without new consent? Yes, if the further processing genuinely qualifies as scientific research and you have a valid legal basis. The GDPR presumes compatibility with the original purpose, but you must still assess whether your original legal basis (e.g., consent, legitimate interest) covers the new processing or if you need a new basis.
Does product analytics or A/B testing count as scientific research under these guidelines? Unlikely. The EDPB warns that scientific research "may not be stretched beyond its common meaning." Most commercial analytics lack the verifiability, independence, and transparency required by the six-factor test, even if you publish results or insights from the data.
What safeguards does the EDPB require when using broad consent for research? Controllers must define a specific research area or discipline (not "research in general"), implement technical safeguards like pseudonymization and access controls, establish ethics committee oversight, and maintain transparent, ongoing communication with data subjects about how their data is used within that research area.
Can I refuse a data subject's erasure request if it would disrupt my research project? Only if you can document that honoring the request would render the research impossible or seriously impair its scientific objectives, and your processing is necessary for a public interest task. The Article 89 limitations must be applied restrictively on a case-by-case basis—you can't claim blanket exemptions.
When will these guidelines become binding on EU data protection authorities? The public consultation closes June 25, 2026, after which the EDPB will publish final guidelines. While not legally binding, supervisory authorities across the EU will use them as authoritative interpretation when assessing compliance and issuing enforcement decisions.