Clinical Trials After EDPB Guidelines 1/2026: Six Governance Shifts for Sponsors, CROs and DPOs
Six governance shifts for clinical trials under the EDPB’s draft scientific research guidelines
The EDPB’s draft Guidelines 1/2026 on scientific research are the most useful development for clinical-trials privacy governance since Opinion 3/2019 on the interplay between the Clinical Trials Regulation and the GDPR. That is not because the Board has rebuilt the legal architecture from first principles. It has not. The real significance of the 2026 text is that it consolidates and sharpens a framework that trial sponsors, CROs, sites and DPOs have been managing through a mixture of clinical-trial guidance, general GDPR rules and sectoral practice.
The Guidelines were adopted in a version for public consultation on 15 April 2026, and the EDPB consultation remains open until 25 June 2026. Their direction is already clear enough to affect how senior privacy teams should structure clinical-trial governance now.
1. Scientific research must be evidenced
The first shift is that scientific research must now be evidenced, not assumed. The EDPB states that only genuinely scientific activity benefits from the GDPR’s research-specific rules and gives six indicative factors for assessing that status. Importantly for life-sciences organisations, the Board’s own example treats a pharmaceutical clinical trial as scientific research even though it is run by a commercial company. The decisive features are not the commercial context but the research plan, good clinical practice, ethical review, qualified researchers, transparency and knowledge contribution.
For clinical trials, the practical consequence is not that every protocol must defend its scientific status from scratch. It is that adjacent activities such as extension studies, optional repositories, sub-projects, federated databases, further analytics and AI-driven evidence generation should no longer be allowed to inherit “scientific research” status by assumption.
2. Lawful basis needs purpose-by-purpose analysis
The second shift is that lawful basis is broader than many teams assume, but less forgiving of shorthand. Opinion 3/2019 already drew an important distinction between processing linked to reliability and safety purposes, which may fall under legal obligation, and processing purely related to research activities, which may instead rely on public interest, legitimate interests or, in certain narrow cases, explicit consent.
Guidelines 1/2026 preserve that architecture, but they now say more clearly that private entities may use Article 6(1)(e) where Union or Member State law covers their research activity, and that scientific research can constitute a legitimate interest under Article 6(1)(f), even on a commercial basis. The right governance lesson is therefore not that consent has disappeared. It is that trial privacy files should now show a more mature purpose-by-purpose pairing of Article 6 and Article 9 reasoning, rather than defaulting to a generic consent discussion.
The question is no longer simply “what is the lawful basis for the trial?” It is “what is the lawful basis for each processing purpose across the trial lifecycle?”
3. Participation consent and GDPR consent must stay separate
The third shift is that participation consent and GDPR consent must be separated more deliberately. That distinction is not new. The Commission’s Q&A and Opinion 3/2019 already made clear that informed consent under the CTR is not the same thing as consent under the GDPR. What the 2026 guidance adds is a more usable operational model.
The EDPB states that consent to participate in research, required by ethics or other legal rules, protects dignity and bodily integrity and may function as an additional safeguard under Article 89, but it is not itself required by the GDPR. If controllers ask for both participation consent and GDPR consent at the same moment, the GDPR request must be clearly distinguishable. A common form or interface may still be acceptable, but only if the requests are genuinely separable. That matters because many trial packs still collapse ethical participation language and data-protection language into a single undifferentiated request.
The same section of the Guidelines makes the broad-consent debate much more useful for practice. Earlier consent guidance was cautious, and rightly so: Recital 33 introduced flexibility but did not disapply the requirement for specific consent or allow controllers to evade purpose specification. The 2026 Guidelines keep that discipline, but they explain how “broad consent” and “dynamic consent” should work over time.
Broad consent may support data collection, curation, storage and subsequent project-level processing within a certain research area and within participants’ reasonable expectations. Where a later project falls outside that area or outside those expectations, the controller should move to dynamic consent. For trials, that makes optional future use, secondary research and long-tail follow-up more governable, but also harder to describe vaguely.
4. Transparency and rights are lifecycle questions
The fourth shift is that transparency, retention, rights and transfers are now lifecycle questions. This is one of the most significant practical advances in the new guidance. The EDPB expects controllers involved in longer-term scientific research to maintain transparency throughout the processing period, not just at enrolment. It suggests tools such as privacy dashboards and, where relevant, consent receipts.
More importantly, it lists the kinds of developments that require renewed or updated information: change of purpose, different legal basis, changed controller identity, new research partners not reasonably expected by the data subject, especially outside the EEA, retention extensions, new categories of data, changed risk profile, and changed rights interfaces. For trial sponsors, this means privacy governance must now be tied much more closely to protocol amendments, storage decisions, vendor changes, consortium changes and secondary-use approvals.
That lifecycle emphasis also affects Article 17 and Article 21 handling. Research-related limits on erasure and objection remain available, but the EDPB reads them strictly. The right-to-erasure exception in Article 17(3)(d) requires strict necessity and a high threshold; inconvenience is not enough. The Guidelines illustrate that a single erasure request may not seriously impair a very large study, but could do so in small-cohort or longitudinal research. Likewise, objections can only be rejected under the specific conditions in Article 21(6), and controllers must be able to show continuing necessity. Notices and rights SOPs that still speak in generic terms need to be reworked accordingly.
5. Role allocation must follow functional reality
The fifth shift is role allocation. Sponsor, site and processor roles have always been central to clinical-trials privacy governance, and Guidelines 1/2026 make the issue more operational.
The Board states that a sponsor may remain a controller even where the bulk of directly identifying data remain at the site and the sponsor mostly receives pseudonymised data, because controllership follows the determination of purposes and essential means. The CRO example is similarly useful: where the sponsor defines the essential means in the protocol and the CRO acts on instruction under a service arrangement, the CRO remains a processor despite practical leeway over non-essential means.
At the same time, the Guidelines warn that if multiple actors jointly shape the protocol or otherwise jointly determine purposes and essential means, joint controllership may arise. The lesson is that role analysis must be functional, evidenced and reviewed as the study structure evolves.
In clinical trials, the decisive question is rarely “who holds the identifiers?” It is more often “who determines why and how the data are processed?”
6. DPIAs and Article 89 safeguards sit at the centre of the file
The sixth shift is where the 2026 guidance is strongest: DPIAs and Article 89 safeguards are now the centre of the file. The EDPB states that the starting point for appropriate safeguards is a risk analysis or, where required, a DPIA. It also says controllers should look beyond privacy in a narrow sense and consider wider impacts on rights and freedoms, which is especially relevant in medical research where data processing may affect access to care, create stigma, or generate exclusionary effects.
The safeguards discussion is concrete. Controllers must determine which data are strictly necessary. They should anonymise where the purpose can be achieved without identifiability, use pseudonymisation where anonymisation is not feasible, process directly identifying data only where strictly necessary and proportionate, and maintain ongoing verification that anonymisation or pseudonymisation remains effective over time.
The Guidelines also point to access controls, secure processing environments, confidentiality arrangements, conditions for further use, ethics approval or independent review, and controls around publication and onward sharing. Taken seriously, that turns the DPIA from a static annex into the document that links legal basis, necessity, safeguards, notices, retention and data-sharing.
What should sponsors, CROs and DPOs do now?
First, revisit live and planned trial files to ensure they would actually demonstrate that the study qualifies as scientific research in the EDPB’s sense. Secondly, rebuild lawful-basis analysis purpose by purpose, pairing Article 6 and Article 9 explicitly and separating research-participation consent from GDPR consent. Thirdly, redesign participant-facing transparency for long study lifecycles, especially where future reuse, new data categories, non-EEA collaborators or retention extensions are plausible. Fourthly, revisit sponsor-site-CRO-consortium role allocation based on functional reality rather than commercial labels. Finally, reposition the DPIA as the working record of your Article 89 safeguards, not a late-stage formality. That is the most defensible way to update trial governance in light of the new EDPB direction.
Practical drafting examples for clinical trials
The sample language below is deliberately framed as starting-point wording, not publication-ready legal text. It reflects the current EDPB direction and the existing clinical-trials framework, but it will still need study-specific and Member State-specific review before use.
Sample participant-facing wording distinguishing trial participation consent from GDPR legal basis
Your agreement to take part in this clinical trial is requested under the ethical and clinical rules governing the study. This is separate from the legal basis under data protection law for the processing of your personal data.
For the conduct of this study, including protocol management, safety reporting, quality controls, archiving and related scientific analysis, we process your personal data on the basis of [insert Article 6 basis]. Where health or other special-category data are involved, we also rely on [insert Article 9 condition and any relevant Union or Member State legal measure].
Where we ask you to agree to an optional future use of your personal data that is outside the scope of the study purposes explained above, we will request that separately and explain the specific purpose, the categories of data involved, the recipients, any transfer implications and your choices.
The DPIA structure below reflects the EDPB’s instruction that risk analysis or a DPIA is the starting point for Article 89 safeguards and that research risk assessment should look beyond privacy narrowly understood.
Clinical-research-focused DPIA headings
| DPIA heading | What to cover |
|---|---|
| Study description and scientific-research qualification | Protocol summary; the six scientific-research factors; collaborators; study lifecycle. |
| Processing map | Trial site collection, sponsor flows, CRO/vendor access, repositories, publications and secondary use. |
| Article 6 lawful basis by processing purpose | Safety reporting, protocol conduct, optional future studies, recruitment, retention and publication. |
| Article 9 condition by data set | Health, genetic, biometric, adverse event and vulnerable-subject data; applicable national law. |
| Participation consent versus GDPR basis | How the two are separated in documents and governance. |
| Necessity and proportionality | Why each category of data, recipient, retention period and transfer is needed. |
| Role allocation | Sponsor, site, CRO, labs, platform providers, repositories and joint-controller analysis. |
| Transparency and notices | Current notices, update triggers, contact point and patient-facing wording. |
| Transfers and disclosures | Chapter V analysis, onward sharing, foreign partners, inspectors and secure environments. |
| Rights handling | Access, rectification, objection, erasure, Article 17/21 thresholds and local derogations. |
| Safeguards under Article 89 | Pseudonymisation, anonymisation, key custody, access controls, ethics oversight and governance board. |
| Residual risk and review triggers | Protocol amendments, new arms, new partners, retention extensions and new data categories. |
The data-sharing clause below reflects the EDPB’s emphasis on role precision, purpose control, anonymisation-first logic where possible, and enforceable controls around re-identification and onward use.
Sample data-sharing clause language for sponsor, CRO, site or consortium drafting
Each party shall document and maintain its GDPR role in relation to each processing operation covered by the study protocol and associated data flows. Where the parties jointly determine the purposes and essential means of processing, they shall enter into an Article 26 arrangement reflecting their respective responsibilities and making the essence of that arrangement available to data subjects.
The receiving party shall not process the disclosed data for a new scientific research purpose unless it has documented a lawful basis under Article 6 GDPR, an applicable Article 9 condition where relevant, and any required safeguards under Article 89(1) GDPR, together with any applicable Chapter V transfer mechanism.
Data shall be shared in anonymised form where the receiving purpose can reasonably be achieved without identifiable or pseudonymised data. Where pseudonymised disclosure is necessary, the parties shall maintain technical and organisational controls to prevent unauthorised re-identification and to support the practical exercise of data subject rights.
This wording follows the EDPB’s emphasis on role precision, purpose discipline, Article 89 safeguards, and a strict distinction between anonymisation and pseudonymisation.
Building a more defensible research governance framework
| Timing | Priority action | Why it matters now |
|---|---|---|
| Immediate | Re-open the privacy position paper for live and pipeline studies and test each one against the six-factor research framework, the Article 6 and 9 pairing, and the consent split. | Many legacy files assume research status and legal basis rather than demonstrating them. |
| Next review cycle | Refresh participant notices, optional-use wording, DPIA templates, Article 26/28 drafting and CRO questionnaires. | The 2026 guidance affects participant-facing materials and contract architecture as much as legal analysis. |
| Trigger-based | Reassess where there is a new purpose, new legal basis, new controller identity, new non-EEA partner, retention extension, new data category or changed risk profile. | The new guidance treats these developments as transparency and governance triggers. |
| Annual / long-study review | For long-running trials, biobank links and extension studies, run a combined retention, transparency and rights review. | The lifecycle model is one of the biggest practical changes in the guidance. |
Practical implementation checklist
| Actor | Priority actions | Primary governance focus |
|---|---|---|
| Sponsor | Document why the study qualifies as scientific research; map Article 6 and Article 9 purpose by purpose; separate participation consent from GDPR consent; keep the DPIA live; revisit role allocation if the protocol, partners or downstream use change. | Accountability record, lawful basis, Article 89 safeguards and participant transparency. |
| CRO | Confirm whether the service model truly fits Article 28; escalate where the CRO starts determining purposes or essential means; maintain evidence of access controls, deletion practice, sub-processing and transfer locations. | Processor discipline, instruction boundaries, technical controls and transfer evidence. |
| DPO | Challenge over-simplified consent logic; test Article 17/21 assumptions; require update triggers for retention, new partners and interface changes; ensure Article 89 safeguards are specific to the study rather than generic. | Independent challenge, rights handling, lifecycle governance and auditability. |
Conclusion: an evolving area in clinical trials
Although Guidelines 1/2026 remain in draft form and may still evolve following the public consultation process, the broader regulatory direction is already clear. The EDPB is moving towards a more integrated and operational view of scientific research governance under the GDPR, particularly in health and clinical-trial contexts. For sponsors, CROs, DPOs and privacy leaders, the message is not that clinical research has become more restricted, but that it now requires a more structured and defensible approach across the full research lifecycle.
The guidance reinforces that scientific research cannot be treated as a broad compliance label or a standalone lawful-basis exercise. Instead, organisations are expected to demonstrate how lawful basis decisions, Article 89 safeguards, transparency measures, role allocation, retention practices and international transfers work together within a coherent governance framework. DPIAs, in particular, are likely to become more central operational documents rather than static compliance records.
At the same time, organisations should remain cautious about assuming full harmonisation across the EU. The GDPR continues to leave significant room for Union and Member State legislation in areas such as public-interest research, special-category processing and health-sector safeguards, particularly under Articles 6(1)(e), 9(2)(g)-(j) and 9(4). Clinical-trial sponsors and research institutions will therefore still need to assess national legal requirements alongside the EDPB guidance, especially where sensitive data, long-term retention or cross-border research arrangements are involved.
For data protection, privacy and compliance teams, the practical challenge now is less about rewriting existing governance models from scratch and more about making them more explicit, evidence-based and operationally sustainable. Organisations that embed these principles early into trial design, contracting, DPIAs and participant transparency processes are likely to be in a stronger position once the final guidance is adopted.
Sources
- EDPB public consultation: Guidelines 1/2026 on processing of personal data for scientific research purposes
- EDPB Guidelines 1/2026 on processing of personal data for scientific research purposes
- EDPB Opinion 3/2019 on the interplay between the CTR and the GDPR
- EDPB Guidelines 05/2020 on consent under Regulation 2016/679
- European Commission Q&A on the interplay between the CTR and the GDPR
- XpertDPO: Data Protection Requirements in Clinical Trials
