Month: May 2026

On 27 May 2026, XpertDPO Limited submitted feedback to the European Commission’s targeted consultation on the draft guidelines for the classification of high-risk AI systems under Article 6 of the EU AI Act.

The consultation is important because classification is the gateway into the AI Act’s high-risk regime. If an AI system is wrongly classified, the consequences are practical and serious: providers may under-document systems, deployers may misunderstand their responsibilities, and people affected by AI-assisted decisions may lose the benefit of the safeguards the law is meant to provide.

We submitted because the draft guidance is useful, but it needs to be more operational for real organisations.

What we commented on

We focused our response on three areas:

• Section II, especially intended purpose and how it should be evidenced in real deployments.
• Section IV, especially Annex III, human involvement, complex workflows, Article 6(3), profiling, and the practical meaning of material influence.
• Article 112, where the Commission is gathering input on whether the high-risk use cases in Annex III should be clarified, amended, or expanded.

We did not comment on every part of the questionnaire. We kept the response focused on the places where XpertDPO sees the greatest practical classification risk for providers, deployers, DPOs, governance teams, procurement teams, and organisations implementing AI-enabled tools.

Our core point

The final guidance should make it easier to recognise when an AI system materially shapes an outcome for a natural person, even where a human remains formally involved.

Many systems will not look dramatic. They may be sold as ordinary workflow tools, case-management features, copilots, dashboards, triage tools, summarisation tools, ranking tools, or recommendation features. But if they affect who is prioritised, flagged, routed, scrutinised, shortlisted, escalated, delayed, or given access to a service, they may have real-world consequences.

Our submission asks the Commission to make those practical indicators clearer.

Intended purpose needs evidence

We asked for more guidance on how intended purpose should be evidenced in real deployments, especially for SaaS products, embedded AI features, workflow tools, and general-purpose AI systems.

A provider may market a tool broadly, while a deployer configures it for a specific decision process. Equally, a tool may be described as “assistive” but then be used inside HR, education, public services, credit, insurance, healthcare, or casework decisions.

Our view is that organisations need clearer examples of the evidence they should keep, including:

• intended-purpose statements;
• unsupported-use limits;
• Annex III mapping;
• affected persons and user groups;
• output type;
• decision context;
• human review design;
• change-control triggers.

This matters because classification should not be a one-off label. It should be revisited when the system’s purpose, users, affected persons, workflow integration, profiling activity, or decision context changes.

Human involvement is not enough on its own

The draft guidelines rightly say that human involvement does not automatically remove a system from high-risk classification.

We supported that position and asked for it to be made more practical. The final guidance should distinguish genuine independent human assessment from rubber-stamping, automation bias, workload pressure, or review that only happens after an AI system has already ranked, filtered, flagged, routed, or prioritised a person or case.

The question should not be only whether a human makes the final formal decision. The question should also be whether the AI output materially shapes the path to that decision.

Article 6(3) should remain a narrow filter

Article 6(3) allows some Annex III systems to be filtered out of high-risk classification where they do not pose a significant risk of harm and meet specific conditions.

We agree that this filter is important for proportionality. But it must be applied carefully.

Our submission asks the Commission to define practical indicators of material influence, such as:

• ranking;
• scoring;
• prioritisation;
• eligibility flags;
• risk labels;
• recommended outcomes;
• default options;
• confidence-weighted suggestions;
• selective presentation of evidence;
• case routing;
• queue position;
• escalation;
• suppression of information.

These features may influence a human outcome even if the system is formally described as advisory.

We asked for more borderline examples

The most useful guidance for organisations will be worked examples.

We suggested examples such as:

• CV summarisation versus candidate ranking;
• benefits case-file indexing versus eligibility recommendation;
• healthcare referral indexing versus care-pathway prioritisation;
• customer vulnerability identification versus service prioritisation or restriction;
• fraud detection on transactions versus profiling or risk-scoring natural persons;
• learning analytics dashboards used only by students versus institutional tools used for progression, grading, support allocation, or monitoring;
• public-sector outsourced triage performed on behalf of an authority;
• AI meeting notes or case summaries used in disciplinary, complaints, HR, or public-service casework;
• general-purpose copilots used to draft, recommend, quality-check, or structure decisions in Annex III contexts;
• quality assurance of completed decisions versus live influence on pending decisions;
• agentic workflows where several low-risk steps combine into high-risk decision support.

These are the sorts of examples organisations will actually need when they are classifying AI systems in procurement, deployment, DPIAs, AI governance reviews, and vendor due diligence.

Education, employment, and essential services

We focused in particular on three Annex III areas: education, employment, and access to essential private and public services.

In education, we asked the Commission to distinguish genuinely student-controlled support tools from systems used by institutions to classify, stream, grade, monitor, allocate support, detect prohibited behaviour, influence progression, or assess special educational needs.

In employment, we supported a broad functional approach. Systems used for targeted job advertising, CV ranking, candidate sourcing, interview scoring, shift allocation, productivity scoring, behavioural monitoring, platform access, promotion, or termination should not be filtered out where they affect opportunity, pay, progression, or continued engagement.

In essential services, we asked the Commission to connect classification more explicitly to practical contestability. In benefits, healthcare, housing, care services, credit, insurance, emergency response, and similar contexts, affected persons may be vulnerable or dependent. The risk is not only outright denial. Delay, lower priority, additional scrutiny, escalation, or reduced effective access can also matter.

Our Article 112 position

We took a stronger position under Article 112.

XpertDPO recommended that the Commission consider adding or expressly clarifying use cases for AI systems that materially influence healthcare access, care-pathway prioritisation, allocation of care resources, waiting-list order, referral urgency, or outsourced public-service triage performed by or on behalf of public authorities.

These systems can determine whether, when, and how a natural person receives essential care or public support. The consequences of error, bias, delay, or de-prioritisation can be severe, particularly for children, older persons, persons with disabilities, patients, benefit claimants, and people with limited capacity to challenge decisions.

If the Commission considers these use cases already captured by existing Annex III areas, our view is that the final guidance should say so expressly and provide worked examples.

Why this matters

The AI Act will only work if organisations can classify systems consistently before harm occurs.

High-risk classification is not just an abstract compliance label. It is the point at which organisations decide what evidence they need, what safeguards apply, what questions to ask providers, and what people affected by AI-assisted decisions can reasonably expect.

That means the final guidance needs to be usable by the people who will apply it in practice: product teams, deployers, DPOs, compliance teams, procurement teams, risk teams, senior leaders, and public bodies. It must help them identify when an ordinary-looking tool is no longer just administrative support, but is materially shaping outcomes for people.

XpertDPO submitted because this is where practical accountability starts: in clear classification, visible reasoning, and early recognition of the people whose rights, access, opportunities, care, or livelihood may be affected.

We will add a link to the published submission here when the Commission makes consultation responses available.

Preparation note

The response was submitted by XpertDPO Limited, directed and reviewed by Philipa Jane Farley, and prepared with AI-assisted drafting support from Eliot/Codex.

Why this matters now

On 13 May 2026, the text of the Council of Europe Framework Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law was published in the EU Official Journal. The EU had already approved conclusion of the Convention through Council Decision (EU) 2026/1080, adopted on 21 April 2026.

For EU organisations, the important point is that the Convention does not displace the EU AI Act. The EU decision makes clear that the Convention will be applied in the Union through Regulation (EU) 2024/1689, the EU AI Act, and other relevant parts of EU law where appropriate.

The significance is therefore not that organisations now need a separate Convention compliance programme. It is that the Convention confirms the broader governance frame in which AI regulation now sits: human rights, democratic integrity, rule of law, transparency, accountability, remedies and lifecycle risk management.

The AI Act tells organisations much of what they must do; the Convention helps explain what responsible AI governance must be able to prove.

Not a separate compliance track

It is worth being precise about what the Convention does not do. For organisations operating in the EU, it does not replace the AI Act or create a separate operational regime that sits beside it. The practical questions of AI classification, provider and deployer obligations, transparency duties, technical documentation, post-market monitoring and high-risk system controls remain anchored in the AI Act where that Act applies.

Nor should the Convention be treated as a new checklist for every organisation to complete in isolation. The Convention is an international treaty framework. Its direct obligations are framed around Parties to the Convention, while the EU has connected its implementation to the AI Act and other parts of the Union acquis.

It also does not mean that every AI system should be treated as high risk. Proportionality still matters. A low-impact productivity tool should not be governed in the same way as an AI system used to support access to healthcare, employment, education, credit, public services or legal rights.

The value of the Convention is different. It helps clarify the rights-based purpose behind AI governance. It gives organisations a way to test whether existing AI controls can evidence not only classification and compliance status, but also accountability, transparency, oversight, remedies and lifecycle risk management.

A rights-based governance framework

The Convention is best understood as a rights-based governance framework for AI. It places the design, development, deployment and use of AI systems within the wider obligations to protect human rights, democratic processes and the rule of law.

That means the governance question is not limited to whether an AI system falls into a particular regulatory category. Organisations also need to understand how the system may affect people, how those impacts are assessed, what safeguards are in place, and whether there are meaningful routes for oversight, challenge and remedy.

The Convention also takes a lifecycle view. It is concerned not only with the moment a system is procured or launched, but with how risks are identified, documented, mitigated, monitored and reviewed over time.

For DPOs and compliance teams, this is where the Convention becomes practically useful. It gives language for the wider governance evidence that should sit around AI use: not only what the system is, but what it may do to people, who is accountable for it, and how the organisation knows its controls are working.

From classification to evidence

For organisations, the significance of the Convention is not that it creates a separate compliance route. It is that it changes the quality of the governance question.

AI Act classification still matters. Organisations still need to know whether a system is prohibited, high risk, subject to transparency obligations, or outside the more demanding parts of the regime. But classification is not the same thing as governance.

Classification is necessary, but it is not the same as governance.

The Convention points toward a rights evidence layer around AI use. Organisations should be able to show how they have considered the impact of an AI system on people, what safeguards are in place, who is accountable, how the system is monitored, and what route exists if something goes wrong.

That evidence may already sit partly within DPIAs, AI impact assessments, vendor assessments, records of processing, technical documentation, testing reports, escalation procedures and governance minutes. The practical task is to make sure those controls join up, rather than leaving AI assurance scattered across disconnected documents.

This aligns closely with the approach discussed in our article on AI Governance and Data Protection Impact Assessments. The issue is rarely the absence of any governance process. More often, the issue is that the process does not reflect how AI systems are actually introduced, used, changed and relied upon in practice.

What DPOs and compliance teams should look for

For DPOs, the Convention reinforces several governance areas that should already be visible in mature AI oversight.

First, risk and impact assessment must reflect the system in use, not only the system as described at procurement. A DPIA or AI impact assessment should consider the people affected, the context of use, the seriousness of potential impacts, and how risks will be monitored over time.

Second, transparency needs to be meaningful. It is not enough to state that AI may be used somewhere in a process. Individuals should be able to understand when AI is involved, what role it plays, and where to go if they need to question or challenge an outcome. This is particularly important for systems that are not high risk but still influence how people are treated, as discussed in our article on low, limited and minimal risk AI that still needs explaining.

Third, human oversight needs to be real. Organisations should be clear about who can intervene, what information they receive, whether they have authority to change an outcome, and how oversight is recorded. A reference to “human in the loop” is not enough if the person involved has no practical ability to understand, question or correct the output.

Fourth, remedies and escalation routes should be designed before something goes wrong. If an AI-supported process affects access to a service, opportunity, benefit or right, the organisation should know how a person can query, correct or challenge the result.

Finally, vendor and lifecycle governance matter. Many AI systems enter organisations through third-party tools or embedded platform features. DPOs should be involved early enough to understand what is being used, what evidence is available, and how risks will be reviewed as the system changes. This is one of the reasons AI DPIAs often become harder than they first appear: ownership, outputs and decision influence are not always clear at the start.

A practical governance test

A useful practical test is whether the organisation can explain the AI system beyond its regulatory category. A label such as “limited risk” or “high risk” may be necessary, but it does not tell the whole governance story.

For any AI system that could materially affect individuals, organisations should be able to answer the following questions:

• What does the system do, and where is it used?
• Whose rights, interests or access to services could be affected?
• What evidence supports the risk assessment?
• Who owns the risk and has authority to act?
• What human oversight, monitoring or review is in place?
• How can an affected person query, challenge, correct or escalate an outcome?

If those answers are spread across procurement files, DPIAs, vendor documents, governance minutes and technical records, the task is not necessarily to create a new process. It may be to join the existing evidence into a coherent governance picture.

What to share with senior stakeholders and decision-makers

The message for senior stakeholders and decision-makers is not that the organisation needs to become expert in the Convention. It is that AI governance should now be treated as an assurance issue, not only a technical, procurement or compliance issue.

Senior leaders do not need to understand every model parameter. They do need confidence that the organisation has visibility of AI use, clear ownership of AI risk, evidence that impacts have been assessed, and routes for oversight, escalation and remedy.

Senior leaders do not need every technical detail. They need assurance that AI is visible, owned, evidenced and reviewable.

The questions to share with the Board, executive team or senior management group are practical:

• Do we know where AI is being used, including vendor and embedded tools?
• Which AI uses could materially affect individuals, services, opportunities or rights?
• Who owns AI risk at senior and operational level?
• What evidence shows that risks have been assessed and controls are working?
• How would a person query, challenge or escalate an AI-supported outcome?

These questions do not require a separate Convention compliance project. They require a clear view of whether existing AI Act, GDPR, DPIA, vendor, risk and accountability processes are joined up well enough to support senior-level assurance.

Bringing it together

The AI Act remains the main operational framework for EU organisations. The Convention adds a wider governance lens. It asks whether AI systems are being managed in a way that protects people, supports oversight, enables remedy and preserves trust in institutions and decision-making.

For DPOs and compliance teams, the practical response is not to create a separate “Convention compliance” process. It is to review whether existing AI governance, DPIAs, vendor assessments, transparency materials, monitoring and escalation routes can evidence the rights-based questions the Convention brings into focus.

The organisations best placed to respond will be those that can show not only what category an AI system falls into, but how it is controlled, who is accountable for it, and what happens when its use affects people.

Sources

• Council of Europe Framework Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law
• Council Decision (EU) 2026/1080
• EU AI Act, Regulation (EU) 2024/1689

Six governance shifts for clinical trials under the EDPB’s draft scientific research guidelines

The EDPB’s draft Guidelines 1/2026 on scientific research are the most useful development for clinical-trials privacy governance since Opinion 3/2019 on the interplay between the Clinical Trials Regulation and the GDPR. That is not because the Board has rebuilt the legal architecture from first principles. It has not. The real significance of the 2026 text is that it consolidates and sharpens a framework that trial sponsors, CROs, sites and DPOs have been managing through a mixture of clinical-trial guidance, general GDPR rules and sectoral practice.

The Guidelines were adopted in a version for public consultation on 15 April 2026, and the EDPB consultation remains open until 25 June 2026. Their direction is already clear enough to affect how senior privacy teams should structure clinical-trial governance now.

1. Scientific research must be evidenced

The first shift is that scientific research must now be evidenced, not assumed. The EDPB states that only genuinely scientific activity benefits from the GDPR’s research-specific rules and gives six indicative factors for assessing that status. Importantly for life-sciences organisations, the Board’s own example treats a pharmaceutical clinical trial as scientific research even though it is run by a commercial company. The decisive features are not the commercial context but the research plan, good clinical practice, ethical review, qualified researchers, transparency and knowledge contribution.

For clinical trials, the practical consequence is not that every protocol must defend its scientific status from scratch. It is that adjacent activities such as extension studies, optional repositories, sub-projects, federated databases, further analytics and AI-driven evidence generation should no longer be allowed to inherit “scientific research” status by assumption.

2. Lawful basis needs purpose-by-purpose analysis

The second shift is that lawful basis is broader than many teams assume, but less forgiving of shorthand. Opinion 3/2019 already drew an important distinction between processing linked to reliability and safety purposes, which may fall under legal obligation, and processing purely related to research activities, which may instead rely on public interest, legitimate interests or, in certain narrow cases, explicit consent.

Guidelines 1/2026 preserve that architecture, but they now say more clearly that private entities may use Article 6(1)(e) where Union or Member State law covers their research activity, and that scientific research can constitute a legitimate interest under Article 6(1)(f), even on a commercial basis. The right governance lesson is therefore not that consent has disappeared. It is that trial privacy files should now show a more mature purpose-by-purpose pairing of Article 6 and Article 9 reasoning, rather than defaulting to a generic consent discussion.

The question is no longer simply “what is the lawful basis for the trial?” It is “what is the lawful basis for each processing purpose across the trial lifecycle?”

3. Participation consent and GDPR consent must stay separate

The third shift is that participation consent and GDPR consent must be separated more deliberately. That distinction is not new. The Commission’s Q&A and Opinion 3/2019 already made clear that informed consent under the CTR is not the same thing as consent under the GDPR. What the 2026 guidance adds is a more usable operational model.

The EDPB states that consent to participate in research, required by ethics or other legal rules, protects dignity and bodily integrity and may function as an additional safeguard under Article 89, but it is not itself required by the GDPR. If controllers ask for both participation consent and GDPR consent at the same moment, the GDPR request must be clearly distinguishable. A common form or interface may still be acceptable, but only if the requests are genuinely separable. That matters because many trial packs still collapse ethical participation language and data-protection language into a single undifferentiated request.

The same section of the Guidelines makes the broad-consent debate much more useful for practice. Earlier consent guidance was cautious, and rightly so: Recital 33 introduced flexibility but did not disapply the requirement for specific consent or allow controllers to evade purpose specification. The 2026 Guidelines keep that discipline, but they explain how “broad consent” and “dynamic consent” should work over time.

Broad consent may support data collection, curation, storage and subsequent project-level processing within a certain research area and within participants’ reasonable expectations. Where a later project falls outside that area or outside those expectations, the controller should move to dynamic consent. For trials, that makes optional future use, secondary research and long-tail follow-up more governable, but also harder to describe vaguely.

4. Transparency and rights are lifecycle questions

The fourth shift is that transparency, retention, rights and transfers are now lifecycle questions. This is one of the most significant practical advances in the new guidance. The EDPB expects controllers involved in longer-term scientific research to maintain transparency throughout the processing period, not just at enrolment. It suggests tools such as privacy dashboards and, where relevant, consent receipts.

More importantly, it lists the kinds of developments that require renewed or updated information: change of purpose, different legal basis, changed controller identity, new research partners not reasonably expected by the data subject, especially outside the EEA, retention extensions, new categories of data, changed risk profile, and changed rights interfaces. For trial sponsors, this means privacy governance must now be tied much more closely to protocol amendments, storage decisions, vendor changes, consortium changes and secondary-use approvals.

That lifecycle emphasis also affects Article 17 and Article 21 handling. Research-related limits on erasure and objection remain available, but the EDPB reads them strictly. The right-to-erasure exception in Article 17(3)(d) requires strict necessity and a high threshold; inconvenience is not enough. The Guidelines illustrate that a single erasure request may not seriously impair a very large study, but could do so in small-cohort or longitudinal research. Likewise, objections can only be rejected under the specific conditions in Article 21(6), and controllers must be able to show continuing necessity. Notices and rights SOPs that still speak in generic terms need to be reworked accordingly.

5. Role allocation must follow functional reality

The fifth shift is role allocation. Sponsor, site and processor roles have always been central to clinical-trials privacy governance, and Guidelines 1/2026 make the issue more operational.

The Board states that a sponsor may remain a controller even where the bulk of directly identifying data remain at the site and the sponsor mostly receives pseudonymised data, because controllership follows the determination of purposes and essential means. The CRO example is similarly useful: where the sponsor defines the essential means in the protocol and the CRO acts on instruction under a service arrangement, the CRO remains a processor despite practical leeway over non-essential means.

At the same time, the Guidelines warn that if multiple actors jointly shape the protocol or otherwise jointly determine purposes and essential means, joint controllership may arise. The lesson is that role analysis must be functional, evidenced and reviewed as the study structure evolves.

In clinical trials, the decisive question is rarely “who holds the identifiers?” It is more often “who determines why and how the data are processed?”

6. DPIAs and Article 89 safeguards sit at the centre of the file

The sixth shift is where the 2026 guidance is strongest: DPIAs and Article 89 safeguards are now the centre of the file. The EDPB states that the starting point for appropriate safeguards is a risk analysis or, where required, a DPIA. It also says controllers should look beyond privacy in a narrow sense and consider wider impacts on rights and freedoms, which is especially relevant in medical research where data processing may affect access to care, create stigma, or generate exclusionary effects.

The safeguards discussion is concrete. Controllers must determine which data are strictly necessary. They should anonymise where the purpose can be achieved without identifiability, use pseudonymisation where anonymisation is not feasible, process directly identifying data only where strictly necessary and proportionate, and maintain ongoing verification that anonymisation or pseudonymisation remains effective over time.

The Guidelines also point to access controls, secure processing environments, confidentiality arrangements, conditions for further use, ethics approval or independent review, and controls around publication and onward sharing. Taken seriously, that turns the DPIA from a static annex into the document that links legal basis, necessity, safeguards, notices, retention and data-sharing.

What should sponsors, CROs and DPOs do now?

First, revisit live and planned trial files to ensure they would actually demonstrate that the study qualifies as scientific research in the EDPB’s sense. Secondly, rebuild lawful-basis analysis purpose by purpose, pairing Article 6 and Article 9 explicitly and separating research-participation consent from GDPR consent. Thirdly, redesign participant-facing transparency for long study lifecycles, especially where future reuse, new data categories, non-EEA collaborators or retention extensions are plausible. Fourthly, revisit sponsor-site-CRO-consortium role allocation based on functional reality rather than commercial labels. Finally, reposition the DPIA as the working record of your Article 89 safeguards, not a late-stage formality. That is the most defensible way to update trial governance in light of the new EDPB direction.

Practical drafting examples for clinical trials

The sample language below is deliberately framed as starting-point wording, not publication-ready legal text. It reflects the current EDPB direction and the existing clinical-trials framework, but it will still need study-specific and Member State-specific review before use.

Sample participant-facing wording distinguishing trial participation consent from GDPR legal basis

Your agreement to take part in this clinical trial is requested under the ethical and clinical rules governing the study. This is separate from the legal basis under data protection law for the processing of your personal data.

For the conduct of this study, including protocol management, safety reporting, quality controls, archiving and related scientific analysis, we process your personal data on the basis of [insert Article 6 basis]. Where health or other special-category data are involved, we also rely on [insert Article 9 condition and any relevant Union or Member State legal measure].

Where we ask you to agree to an optional future use of your personal data that is outside the scope of the study purposes explained above, we will request that separately and explain the specific purpose, the categories of data involved, the recipients, any transfer implications and your choices.

The DPIA structure below reflects the EDPB’s instruction that risk analysis or a DPIA is the starting point for Article 89 safeguards and that research risk assessment should look beyond privacy narrowly understood.

Clinical-research-focused DPIA headings

The data-sharing clause below reflects the EDPB’s emphasis on role precision, purpose control, anonymisation-first logic where possible, and enforceable controls around re-identification and onward use.

Sample data-sharing clause language for sponsor, CRO, site or consortium drafting

Each party shall document and maintain its GDPR role in relation to each processing operation covered by the study protocol and associated data flows. Where the parties jointly determine the purposes and essential means of processing, they shall enter into an Article 26 arrangement reflecting their respective responsibilities and making the essence of that arrangement available to data subjects.

The receiving party shall not process the disclosed data for a new scientific research purpose unless it has documented a lawful basis under Article 6 GDPR, an applicable Article 9 condition where relevant, and any required safeguards under Article 89(1) GDPR, together with any applicable Chapter V transfer mechanism.

Data shall be shared in anonymised form where the receiving purpose can reasonably be achieved without identifiable or pseudonymised data. Where pseudonymised disclosure is necessary, the parties shall maintain technical and organisational controls to prevent unauthorised re-identification and to support the practical exercise of data subject rights.

This wording follows the EDPB’s emphasis on role precision, purpose discipline, Article 89 safeguards, and a strict distinction between anonymisation and pseudonymisation.

Building a more defensible research governance framework

Practical implementation checklist

Conclusion: an evolving area in clinical trials

Although Guidelines 1/2026 remain in draft form and may still evolve following the public consultation process, the broader regulatory direction is already clear. The EDPB is moving towards a more integrated and operational view of scientific research governance under the GDPR, particularly in health and clinical-trial contexts. For sponsors, CROs, DPOs and privacy leaders, the message is not that clinical research has become more restricted, but that it now requires a more structured and defensible approach across the full research lifecycle.

The guidance reinforces that scientific research cannot be treated as a broad compliance label or a standalone lawful-basis exercise. Instead, organisations are expected to demonstrate how lawful basis decisions, Article 89 safeguards, transparency measures, role allocation, retention practices and international transfers work together within a coherent governance framework. DPIAs, in particular, are likely to become more central operational documents rather than static compliance records.

At the same time, organisations should remain cautious about assuming full harmonisation across the EU. The GDPR continues to leave significant room for Union and Member State legislation in areas such as public-interest research, special-category processing and health-sector safeguards, particularly under Articles 6(1)(e), 9(2)(g)-(j) and 9(4). Clinical-trial sponsors and research institutions will therefore still need to assess national legal requirements alongside the EDPB guidance, especially where sensitive data, long-term retention or cross-border research arrangements are involved.

For data protection, privacy and compliance teams, the practical challenge now is less about rewriting existing governance models from scratch and more about making them more explicit, evidence-based and operationally sustainable. Organisations that embed these principles early into trial design, contracting, DPIAs and participant transparency processes are likely to be in a stronger position once the final guidance is adopted.

Sources

• EDPB public consultation: Guidelines 1/2026 on processing of personal data for scientific research purposes
• EDPB Guidelines 1/2026 on processing of personal data for scientific research purposes
• EDPB Opinion 3/2019 on the interplay between the CTR and the GDPR
• EDPB Guidelines 05/2020 on consent under Regulation 2016/679
• European Commission Q&A on the interplay between the CTR and the GDPR
• XpertDPO: Data Protection Requirements in Clinical Trials