Scientific Research and the GDPR: Challenges and Opportunities in Secondary Data Use

Clinical Data’s Double Life: Innovation vs. Regulation

Often likened to the oil of the 21st century, data fuels innovation across industries—nowhere more powerfully than in the life sciences, where daily healthcare and research activities produce vast oceans of information.

Despite broad recognition of the importance of research in driving innovation and delivering high societal value, it is important to remember that data originates from individuals - patients or even healthy volunteers - who, beyond being members of society, are also distinct individuals with their own rights and freedoms. Chief among these is the fundamental right to the protection of personal data, which imposes limitations on the broad and unconditional use of such data for research purposes. This is particularly relevant when research is considered a secondary use of data initially collected for healthcare purposes, or when data is intended for unspecified future research within a broad scientific context.

This concern is especially pronounced in European jurisdictions, where data protection is enshrined as a fundamental individual right. We have explored this understanding of personal data protection in our previous article on data protection challenges in the development and use of AI  https://www.iliomad.fr/post/ai-part-2. This status creates clear and harmonised obligations for all data controllers and processors, regardless of their size or purpose. The General Data Protection Regulation (GDPR), with its well-known "Brussels effect," serves as the most illustrative framework for understanding such constraints.

In this context, the current article focuses on the GDPR's requirements for the secondary use of data, specifically when data initially collected in clinical research is later used for further research purposes. In practice, we have observed that this issue frequently arises in clinical trials, particularly when Sponsors attempt to define the purposes of personal data processing and identify the appropriate legal basis, especially in view of potential future research activities.

What is Secondary Use?

Secondary use of data, or further processing of personal data, is generally understood as the processing of personal data for purposes other than those for which the data were initially collected. Under the GDPR and the data protection regulations mimicking the GDPR framework, personal data can be collected only for specified, explicit, and legitimate purposes (also known as the “purpose limitation principle”). Therefore, processing personal data for purposes that go beyond the initially defined objectives of the processing is considered a further purpose, or secondary use of data, and must meet specific requirements imposed by the GDPR, as explained below in this article.

In the context of clinical trials, the purpose of collecting personal data is defined by the study endpoints of the clinical trial protocol. This include diseases or conditions that the trial addresses (e.g., “to test the efficacy and tolerability of investigational drug X in patients with X disease,” or in healthy volunteers, depending on the phase of the trial) as well as as the pharmacovigilance purposes of the trial, which are imposed as legal obligations by the clinical trials regime and go hand in hand with the scientific purposes.

Therefore, secondary use in the context of clinical trials would normally constitute any use of data outside the explicitly defined protocol endpoints. This can include, but is not limited to, new or additional research concerning:

• the way the investigational product in scope, or drugs of the same group, work;
• the disease or condition for which the investigational product in scope is being evaluated;
• other diseases or health problems that could benefit from the investigational product in scope;
• an area of research not strictly related to the investigational product or disease in scope.

Under the GDPR, when secondary use of data takes place for scientific research purposes, specific provisions are introduced to facilitate such further processing, in comparison with other further processing or secondary uses of the initially collected clinical trial personal data that would not qualify as scientific research. For this reason, it is important to examine what is covered by the notion of “scientific research” in the context of the GDPR, in order to determine, on a case-by-case basis, the degree of applicability of these facilitation provisions.

What is Covered by Scientific Research?

The definition of scientific research in the GDPR was recently examined in detail in the EDPB-commissioned study entitled “Study on the secondary use of personal data in the context of scientific research” - https://www.edpb.europa.eu/our-work-tools/our-documents/other/study-secondary-use-personal-data-context-scientific-research_en. The study notes that, while the term is repeatedly mentioned in the GDPR, scientific research is not explicitly defined. Accordingly, this lack of a clear definition has led to a lack of uniformity among EU Member States regarding its scope, despite the GDPR’s aim of achieving harmonisation and consistency in the interpretation and enforcement of data protection provisions across the EU.

Guidance on its interpretation is found only in Recital 159 of the GDPR, which states that scientific research purposes shall be interpreted “in a broad manner,” including, for example, “technological development and demonstration,” “fundamental research,” “applied research,” and “privately funded research.” Even though recitals do not have legally binding effect, they are nonetheless particularly useful for interpreting how the GDPR shall be understood. On this basis, it can be initially concluded that:

• Sponsor-funded clinical trials are certainly within the scope of scientific research, as privately funded research. This has been confirmed in practice by the EDPB guidelines on the interaction between the CTR and GDPR - https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-art-70/opinion-32019-concerning-questions-and-answers_en, as well as by guidance from regulatory authorities on the data protection requirements for clinical trials.
• Research activities performed for AI development could also potentially qualify as “scientific research,” specifically within the notion of “technological development and demonstration.” This assumption could be further reinforced when an AI tool is developed for use in drug or medical device R&D activities.

At the same time, the EDPB-commissioned study explored how the notion of scientific research is understood among Member States. Based on commonly accepted characteristics found in EU and international legal texts, it concluded that scientific research could be described as “any research for a scientific purpose, financed by public authorities or the private sector, carried out in accordance with the established ethical standards and the methodology applicable in the sector concerned by the research.”

The study also confirms that the notion of scientific research is clearly not limited to academic research organisations (such as universities or research centres). In particular, research carried out by private entities with a commercial scope, including pharmaceutical companies, qualifies as scientific research, provided that applicable ethical standards are respected.

Main Obligations in Case of Intended Secondary Use

There are practical challenges related to the secondary use of data in general, including in the context of clinical trials. These challenges can be grouped into two main areas:

1. Examining lawfulness – in particular, whether there is a lawful ground, from a data protection perspective, for personal data initially collected for one purpose to be used or processed again for another. A key question arises here: how far can the secondary purpose differ from the originally defined purpose?
2. Ensuring proper information – making sure that the individuals whose personal data are to be reused are appropriately informed about the intended further processing.

These two challenges are closely interrelated and go hand in hand with many of the core data protection principles and obligations imposed on controllers, such as accountability, lawfulness and transparency of processing, and data minimisation. They are also tied to the rights granted to data subjects under data protection regimes.

As noted above, scientific research benefits from specific facilitations designed to address these two principal challenges. In particular

Lawfulness of processing and compatibility – In evaluating the distance between the original and the secondary purpose, scientific research is normally considered compatible with the original purpose. This means that, for example, if the clinical trial sponsor decides to reuse data initially collected in the context of one trial for another trial the sponsor wishes to run, they do not need to carry out a compatibility assessment for the second trial. The latter will qualify automatically as scientific research and therefore benefit from the assumption of compatibility. Nevertheless, beyond compatibility, the sponsor must still rely on an appropriate legal basis for processing the data - most often either the sponsor’s legitimate interest or the consent of the data subjects. In this regard, different approaches are taken across Member States, which becomes particularly evident when a model consent form is adopted at national level:

1. In the model ICF for Germany, it is explicitly stated that if the sponsor intends to reuse the data, they must prepare a separate document for this purpose and provide it to the participant of the current trial to obtain their consent for future use of their personal data (a document often referred to as a “future ICF”);
2. In the model ICF for Spain, explicit consent for further data processing also seems to be the locally accepted legal basis. The difference from Germany is that this consent can be requested within the same ICF document developed for the current trial;
3. In the model ICF for Belgium, the sponsor’s legitimate interest appears applicable, and the template includes standard wording addressing the future use of data within it.

From the above, it shall be highlighted that a sponsor deciding to reuse data and conduct a cross-border clinical trial within the EU must closely monitor these nuances in the interpretation and implementation of GDPR requirements.

In practical terms, the second challenge can turn out to be even more difficult to manage. Indeed, whatever the legal basis is, and despite the assumption of compatibility examined above, data subjects must always be informed of the further processing of their personal data, prior to it taking place. There seems to be no exemption to this rule when the data are collected directly from the data subjects, as is the case when a sponsor conducts the initial trial. Exemptions to transparency obligations are recognised only when the data are not obtained from the data subjects themselves but from another source - for example, when data are initially collected from other sponsors, research institutions, or data brokers. The practical implication of this obligation is that, whenever a sponsor conducts a clinical trial, they shall have a clear mind on the actual intended uses of the data. If the sponsor foresees that the data will be reused, they should act proactively by including the necessary language in the initial ICFs and by examining the appropriate legal basis in advance. On the contrary, if the decision to reuse the data is made later, they will likely need to update the ICF, as this remains the means of providing information to patients on the use of their data. However, this could prove particularly challenging if the modification of the ICF qualifies as a substantial amendment, requiring new regulatory approval.

Therefore, this is a crucial aspect that clinical trial sponsors should keep in mind and one on which they should consult their data protection and regulatory advisors accordingly.

Finally, when processing personal data for scientific research - whether as a primary or secondary purpose - the GDPR requires that appropriate safeguards be implemented to protect the rights and freedoms of data subjects. Such safeguards include, for example, encryption of data and proper pseudonymization, ensuring that both the pseudonymised data and the corresponding key code are protected against unauthorised disclosure, modification, and/or loss.

Comparison with the Recently Adopted DUAA in the UK

On 19 June 2025, the UK Parliament adopted the Data Use and Access Act (DUAA), a law introducing modifications to existing UK legal frameworks on digital information with the aim of promoting innovation and economic growth. The DUAA has not yet entered into force but will be implemented gradually through regulations adopted by the Secretary of State.

A substantial part of these modifications concerns the UK GDPR (the GDPR as applicable in the UK), and in particular its provisions on the processing of data for scientific research.

Interestingly, these modifications - discussed briefly below - are not entirely new in the data protection context, as they stem from principles already outlined in the recitals of the UK GDPR (and similarly in those of the GDPR).

Nevertheless, by making these recital principles legally binding, the DUAA seeks to foster innovation and enable the secondary use of data for scientific research.

To begin with, the DUAA introduces a clear definition of scientific research within its text, reaffirming the analysis above and removing any doubt that industry-sponsored trials qualify as scientific research, thereby closing a perceived gap in the UK GDPR recitals.

At the same time, the DUAA extends the exemptions provided by the GDPR from the obligation to inform individuals about the secondary use of their data for scientific purposes to situations where the personal data are collected directly from the data subject. In particular, a controller (such as a clinical trial sponsor) will be exempt from this obligation where providing the privacy information is impossible or would involve a disproportionate effort. While this will depend on factual analysis and must be assessed on a case-by-case basis, it could be especially relevant for clinical trial sponsors who later decide to reuse data collected from previous activities for a new purpose but cannot re-inform individuals because they only have access to pseudonymised data and not to direct identifiers (such as names or contact details), as required by the clinical trials regulatory framework.

Finally, it is worth noting that whenever consent is relied upon for the secondary use of data, the DUAA facilitates the use of shorter, future-proof consent forms - even where the exact purposes of processing have not yet been explicitly defined. By giving binding legal effect to the UK GDPR recitals, the law provides that consent shall still be considered explicit and valid even if broader in scope, provided that:

a) it was not possible for the organisation to identify the exact purpose of the research at the time consent was obtained;

b) seeking consent for the broader area of scientific research is consistent with generally recognised ethical standards in the relevant field; and

c) individuals are given the opportunity to consent only to part of the research.

Strategy is the Key

To effectively operate within the regulatory requirements on the secondary use of data - which may even differ from one Member State to another - entities conducting research activities should build a strong data-use strategy from the very beginning of the process.

In doing so, consulting the Data Protection Officer and other key regulatory advisors as early as possible is fundamental, as they can clarify and translate the applicable obligations into practical steps the research entity must anticipate. Having a clear mind on future data-use plans and being transparent with key collaborators in data management go hand in hand with developing a resilient data strategy - one that enables the fullest use of valuable data resources in a manner that is both ethical and lawful.

Ultimately, treating compliance not merely as a constraint but as an integral part of the research design can foster trust, safeguard participants’ rights, and unlock opportunities for innovation, ensuring that scientific research thrives within the boundaries of data protection law.

‍