On 16 April 2026, the European Data Protection Board adopted Guidelines 1/2026 on the processing of personal data for scientific research purposes — the most comprehensive guidance to date on how the GDPR applies to academic, public-sector, and commercial research, including research that relies on AI, large datasets, and the reuse of personal data.

The guidelines introduce six indicative factors for determining whether processing qualifies as scientific research within the meaning of the GDPR: a methodical and systematic approach; adherence to ethical standards; verifiability and transparency allowing peer review; autonomy and independence for the research team; objectives aimed at contributing to society's general knowledge and well-being; and the potential to contribute to existing scientific knowledge or apply it in novel ways. This framework is intended to prevent organisations from labelling commercial data processing as "research" to access more favourable legal bases or exemptions.

For AI-enabled research or large-scale processing of genetic data, the guidelines make clear that a Data Protection Impact Assessment (DPIA) will almost always be required under Article 35 of the GDPR. The EDPB also addresses the reuse of personal data for research purposes, a question of particular relevance to organisations training AI models on previously collected datasets. The guidelines clarify the conditions under which further processing for research may be considered compatible with the original purpose of collection.

The public consultation on Guidelines 1/2026 closes on 25 June 2026. In parallel, the EDPB has established a dedicated sprint team to finalise related guidelines on anonymisation by the summer — a development that will have direct implications for how anonymised datasets are prepared and validated for research and AI training.

Acompli perspective: If your organisation processes personal data for research or AI development, these guidelines demand attention now — not after the consultation closes. The six-factor framework for what counts as research, and the near-automatic DPIA requirement for AI-enabled processing, set a high bar. Organisations should review their assessment processes to ensure they cover AI research use cases, confirm that their data mapping captures the full lifecycle of research data, and document the legal basis for any reuse of personal data in AI training pipelines.