EDPB released Guidelines for Scientific Research
On 16 April 2026, the EDPB released Guidelines 1/2026 on processing of personal data for scientific research purposes. People can submit comments until 25 June 2026. These guidelines are very important and were much awaited because they clarify several grey areas in scientific research and introduce new notions like the broad consent and the dynamic consent:
- the conditions to further processing patient data for scientific research (section 3): the EDPB considers that in most cases, the purposes of the new scientific research can be considered as compatible with the previous research
- how to check the lawfulness of the further processing (sections 3 and 4): if the legal basis used for the first research was the GDPR consent of the data subject, then the EDPB advises to try and get the consent again.
- under which conditions another sponsor of research can process patient data that was collected for another research by another sponsor (section 3 - item 26): the EDPB considers that it is further processing, and that neither the providing (controller A) nor receiving controller (controller B) needs to undertake a compatibility assessment, pursuant to Article 6(4) GDPR. At PharMarketing we are more cautious, and think the patients should at least be informed by controiller A that it intends to send the clinical data to B; also, A should check that B has all Technical and Operational Measures in place to protect the patient data.
- Uncertainty of the purposes when designing the research: In section 4.1.2, the EDPB recognizes that the purposes of research are not fully known at the time of collection of the data
- Broad consent: this topic was already addressed and accepted by Canada 's PIPEDA and the UK DUAA; in our opinion, the EDPB does not give a clear definition of when broad consent can be used and how; it will need to be clarified in the future: the EDPB just says that it is not sufficient to only state that personal data will be used for scientific research purposes (item 44) and that controllers should define the purposes of future research as clearly as possible; this was already said by Data Protection Authorities since 2018, and hence the EDPB doesn't bring a lot of clarity here. If a controller asks for broad consent, then it should adopt additional specific safeguards (item 48)
- Dynamic consent (sections 51 and 52): if the purposes of the research change, then the controller must ask patients again for consent
The other sections of this 1/2026 Guidelines don't bring new notions, instead they reexplain things that were already explained in previous EDPB Guidelines or that were already communicated by Data Protection Authorities in their own local guidelines or in workshops or conferences: for example on the DPIA, on the obligation to inform (and reinform if relevant) data subjects), on Technical and Organizational measures, etc.
Download the new Guidelines and provide comments here: https://www.edpb.europa.eu/our...
UK HRA:
Updated Model Agreements for
Commercial Sponsors
8 April 2026: UK HRA released Updated Model Agreements for use with participating NHS and HSC organisations. These new models came into force on 28 April 2026..
The agreements have been updated to reflect changes to clinical trials regulations, which apply to clinical trials of investigational medicinal products (CTIMPs) and come into force on 28 April 2026.
Policy changes for studies which are not clinical trials of investigational medicinal products (referred to as non-CTIMPs) also take effect from 28 April 2026.
The changes to the model agreements apply to both CTIMP and non-CTIMP studies.
Updates have also been made to the model agreements for use when commercial sponsors and CROs contract with an NHS or HSC organisation to provide chief investigator services. The updates align with the amended clinical trials regulations and contain updated chief investigator fees for use in the financial year 2026-27.
The
guidance documents for the commercial model clinical trial agreements (mCTAs) and the model non-commercial agreement (mNCA) give more information about the individual changes made to these agreements.
The following commercial agreements (and their associated guidance) have been published for use from 28 April 2026:
- model clinical trial agreements (mCTAs) – including the CRO-mCTA, the advanced therapy mCTA (ATMP-mCTA) and CRO-ATMP-mCTA, and the primary care mCTAs (bi-partite and tri-partite PC-mCTAs)
- model commercial chief investigator agreements (mCCIA) – including the CRO-mCCIA
- model clinical investigation agreements (mCIAs) – including the CRO-mCIA
- model non-interventional study agreements (mNISAs) – including the CRO-mNISA
- model commercial hub and spoke agreement
The following non-commercial agreements (and their associated guidance) have been published for use from 28 April 2026:
- model non-commercial agreement (mNCA)
- organisation information document for non-commercially sponsored projects
- model non-commercial hub and spoke agreement
The EDPB
released a DPIA Template
The EDPB released a DPIA Template on 14 April 2026. This in line with the push of the EU Commission and of EU organization and citizens to make it more simple to comply with laws and guidelines.
A DPIA is a risk analysis from the point of view of the data subjects. All organisations who conduct medical research, must draft a DPIA, and so do their subcontractors (CRO, central lab, software provider, etc.).
The template is complemented by an explainer document providing concise explanations for completing this template effectively, by breaking down key concepts in a simple language and addressing possible questions and knowledge gaps controllers might have.
The template will be subject to public consultation until 9 June, providing stakeholders with the opportunity to comment and provide feedback. Following the public consultation, all Data Protection Authorities will initiate the necessary steps to adopt this template either as their sole standard or as a ‘meta-template’ to which national-specific templates will align. In the meantime, organisations are encouraged to use this template and to provide feedback in the context of the public consultation.
Read the press release and download the procedure and the template here:
https://www.edpb.europa.eu/new...
PharMarketing's opinion: the PIA software from the CNIL is better
Section '3.1 Impacts of the processing on the rights and freedoms of data subjects' just provides an empty table, but doesn’t explain how to evaluate the potential impacts on the private life of data subjects, which is one of the main objective of a DPIA.
Also, it doesn’t indicate that the DPIA must be signed by a Director of the company
This is where the guidelines from the CNIL complement this in their brochure on the impact severity, the probability, etc.
In our view, the software and the methodology and documents provided by the CNIL remain the 'golden standard' to draft a DPIA.
To learn more contact Bertrand at b.p.lebourgeois@pharmarketing.net
Examples of Non-Compliance
with Health Data Privacy
Data Protection Authorities ('DPAs') published several decisions related to the processing of health data in the past months.
Such decisions shed light on the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.
For each decision, we propose key takeaways: use them as ideas and guidelines for your own organisations: check that such measures are implemented at your organisation, and if not, talk to your management (or talk to us!).
Many thanks to GDPR hub NOYB and to IAPP for all this valuable information!
Slovenia:
Fact:
The DPA found that a medical institution failed to ensure security of processing after losing a data subject’s medical file. However, the DPA did not impose a fine or corrective measures. Read more or edit on GDPRhub...
Takeaway:
The translation of the decision states that the medical organisation probably sent the medical files to a wrong recipient: it is important that organisations have the patient's record updated with the correct email address or post mail address.
United Kingdom:
Fact:
BBC News reports 500,000 participants in the UK Biobank project had their sensitive medical information posted for sale on the Chinese e-commerce marketplace Alibaba. The compromised data up for sale included gender, age, month and year of birth, socioeconomic status, lifestyle habits, and measures from biological samples. UK Biobank CEO Rory Collins acknowledged concerns around impacts while noting "all the data are de-identified; they do not contain any personally identifying information." Read BBC article here: https://www.bbc.com/news/artic...
Comment:
Even if data are de-identified, it is personal data and falls under the UK GDPR
Fact:
The DPA ordered a hospital trust to respond to the Freedom of Information requests it previously failed to reply to in time and to devise and publish an action plan with measures mitigating delays in the future. Read more or edit on GDPRhub...
Takeaway:
All organisations must answer a Data Subject Access Request with one month, as per the UK GDPR.
United States:
Fact:
The U.S. Department of Health and Human Services' Office for Civil Rights entered settlements with 4 entities regulated under the Health Insurance Portability and Accountability Act following ransomware investigations, totaling USD1.17 million.
Read the press release here: https://www.hhs.gov/press-room...
Takeaway:
We cannot comment as we don't know what was the cause of these cyberattacks.
FDA: First Warning Letter
for AI-Related Non Compliance
On April 2nd, 2026
the FDA issued its first warning letter 320-26-58 for AI-Related Non Compliance to Purolea Cosmetics Lab, a US Michigan-based company manufacturing cosmetics. In addition, FDA investigators stated that the products are drugs, not cosmetics.
During the FDA inspection of their drug manufacturing facility, Purolea said the the FDA inspector that they used AI to create drug product specifications, procedures, and master production or control records to be in compliance with FDA requirements.
Also, the FDA investigators found that Purolea had not conducted process validation prior to distribution of their drug products, as required under 21 CFR 211.100; Purolea replied that they were not aware of the legal requirement, as the AI agent they used never told them it was required.
Organizations must review the AI generated documents to ensure they were accurate and actually compliant with CGMP.
Pharma companies cannot 'hide behind their little finger', FDA stated:
Drugs must be manufactured in conformance with CGMP. FDA is aware that many drug manufacturers use independent contractors such as production facilities, testing laboratories, packagers, and labelers. FDA regards contractors as extensions of the manufacturer.
For this reason, Pharma (and medical device) companies must ensure their sub-contractors comply with all relevant laws and guidelines, BEFORE contracting with such vendors.
And as FDA role has extraterritoriality, US pharma companies must check that vendors comply with privacy laws and guidelines in other countries like EU/EEA, UK, Switzerland, China, Canada, Australia, etc.
Read FDA's warning letter to Purolea here: https://www.fda.gov/inspection...
- The Data Privacy Framework is
a Program to make transfers of personal data between EU/EEA/UK/Switzerland to the US compliant with GDPR
- The EU AI Act didn't enter into force yet: Yes for Artificial Intelligence Systems which present a 'high risk' for the life of people.