Contact Us

When Can Personal Data Be Processed for Research in The EU And UAE?

  • Home
  • When Can Personal Data Be Processed for Research in The EU And UAE?
Personal Data Processing for Research

On 15 April 2026, the European Data Protection Board (EDPB) adopted draft Guidelines 1/2026 on the processing of personal data for scientific research purposes under the GDPR. Open for public consultation until 25 June, these guidelines aim to harmonise research data compliance across EU member states, an area previously marked by inconsistent national interpretations.

While they apply to scientific research broadly, their most practical impact will be felt in healthcare and life sciences, where patient records, imaging, genomic sequences, treatment outcomes, and disease registries are routinely used for research. For hospitals, academic medical centres, pharmaceutical sponsors, and contract research organisations operating across jurisdictions, including the UAE, understanding where the two frameworks align and differ is increasingly important.

What The EDPB Guidelines Say

  • The guidelines address four recurring issues: what qualifies as “scientific research,” when further processing is permissible, how long data can be retained, and how consent works in a research context. These questions arise routinely in hospital trials, data sharing with universities, and disease registry work.
  • The EDPB sets out six indicative factors that, when collectively met, establish that processing is for genuine scientific purposes: (i) a methodical and systematic approach; (ii) adherence to ethical standards; (iii) verifiability and transparency; (iv) autonomy and independence; (v) objectives aimed at advancing general knowledge or societal wellbeing; and (vi) potential to contribute to or apply existing scientific knowledge. The EDPB is clear that commercial research can qualify, but internal analytics undertaken purely for marketing will not, regardless of how it is labelled. Where not all six factors are present, controllers must justify and demonstrate why the activity should still fall within the scientific research definition.
  • Further processing for scientific research is presumed compatible with the original collection purpose under Article 5(1)(b) GDPR, so a fresh compatibility assessment is not needed if the original legal basis remains valid and Article 89(1) safeguards, mainly pseudonymisation, are applied. This means patient data collected for treatment can be used for approved secondary research without a new legal basis analysis, provided it is adequately pseudonymised. For special category data such as genetic, biometric, sexual health, or mental health data, Article 9(2)(j) must also be properly invoked and documented.
  • Data may be retained beyond the original purpose where it is held solely for scientific research. If future projects are not yet fully defined, identifying a research area is enough, so long as future activities within that area are reasonably foreseeable. This is especially relevant for biobanks, tissue repositories, and longitudinal cohort studies. Retention must still reflect a genuine research need and cannot be indefinite simply because the data might someday be useful.
  • The EDPB permits broad consent where specific research purposes are not fully known at the point of collection, allowing organisations to collect data in a defined research area and refine purposes as projects evolve. Crucially, broad consent must be paired with meaningful safeguards: real-time information updates to data subjects as projects progress, access controls, time-limited consent validity, and independent or ethical oversight. The guidelines also permit a hybrid model combining broad and dynamic consent. This aligns well with biobank and cohort research, where patients often consent to a category of future research rather than a single study.

The UAE Position

  • The UAE’s federal data protection regime, Federal Decree-Law No. (45) of 2021 on the Protection of Personal Data (PDPL), in force since January 2022, also addresses scientific research, but in a very different way. This is especially relevant for UAE healthcare and life sciences institutions that participate in multi-site research involving both EU and UAE patient data.
  • Unlike the GDPR, the PDPL treats scientific research mainly as an exception to consent. Article 4 allows processing without consent where necessary for archival, scientific, historical, or statistical studies in accordance with UAE law. The PDPL does not contain an equivalent to Article 9 GDPR for special category data, though sector-specific rules may still apply in practice.
  • The PDPL gives no structured test for what counts as scientific research. There is no equivalent to the EDPB’s six factors, no published UAE guidance, and no statutory presumption of compatibility for further processing. As a result, hospitals using patient data for retrospective studies must document necessity carefully and apply safeguards such as pseudonymisation and ethics oversight even where not formally required. These issues are frequently assessed by a data protection lawyer in UAE when advising healthcare institutions on research compliance and data governance obligations.
  • Consent also works differently. Under the GDPR, consent is one of six legal bases; under the PDPL, consent is the default and all other bases are departures from it. There is no standalone legitimate interests basis. This means a trial or observational study in the UAE may need to rely either on consent or squarely on the research exception.
  • The EDPB’s broad consent approach has no direct PDPL equivalent. The PDPL requires consent to be specific, informed, and unambiguous, which creates tension for longitudinal studies, biobanks, oncology research, rare disease research, and genomics, where future uses may be unknown at enrolment. UAE healthcare organisations therefore often rely on narrow case-by-case consent or ethics board approval, but neither approach fully resolves the gap.
  • The picture is further complicated by the UAE’s free zone regimes. Entities operating in the Dubai International Financial Centre (DIFC) or the Abu Dhabi Global Market (ADGM) sit outside the PDPL and are instead governed by their own data protection regimes. The DIFC Data Protection Law ( 5 of 2020) is closely modelled on the GDPR and would offer a more familiar landscape for research activities, including a broader basis for processing and greater flexibility on purpose limitation.

Practical Implications for Cross-Border Research

  • Cross-border studies between the EU and the UAE require a dual-track approach, especially in clinical trials, genomics, and AI-driven diagnostics. EU-origin data must satisfy the GDPR, while UAE-origin data must satisfy the PDPL or the relevant free zone law. This evolving regulatory landscape is also closely monitored by a technology law firm in UAE advising organisations involved in digital health, research, and data-driven innovation projects.
  • The EDPB framework is more predictable because it provides a six-factor test, a compatibility presumption, and a broad consent model. These tools reduce compliance friction while giving hospitals and sponsors clearer guardrails. The UAE framework is narrower and less developed, making it harder to support emerging research models, especially those involving large datasets or AI analysis.
  • Organisations should consider whether UAE research can be structured through DIFC or ADGM entities where possible. Where that is not feasible, legal bases and consent documents should be designed with the PDPL’s stricter requirements in mind. In practice, many organisations draft to GDPR standards across the board to reduce risk and simplify governance.
  • The EDPB guidelines remain in public consultation and may change. Organisations involved in EU research, including hospitals, academic medical centres, and pharmaceutical sponsors, can still comment before the 25 June deadline. The wider message is that the gap between the EU and UAE frameworks is real, and cross-border healthcare research should be designed with that gap in mind from the start.

Authors: Shantanu Mukherjee, Varun Alase

Other Posts

Our Clients

Spektar
Engrail
UltraHuma
WSA
Kelix
Karkinos
Trampoline-1
Power
temple
Konfer-1
Xplorazzi
SBS-1

Awards & Recognitions

Add Your Heading Text Here
Add Your Heading Text Here
Add Your Heading Text Here
Add Your Heading Text Here
Add Your Heading Text Here

Testimonials

My relationship with Ronin Legal and Shantanu has advanced exponentially in a very positive direction in a very short time. The Ronin team is zealous in their partnership with us to advance the mission of our small start-up to become a world leader in neuroscience development. Ronin has taken the lead with review of our legal and technical documents and contracts. They are subject matter experts in general counsel services across our global environment. It is a pleasure to work with a team that is pragmatic and responsive in all circumstances. They are second to none.

Janet Flisak

Executive Director, Clinical Development, Engrail Therapeutics

Shantanu and the team at Ronin have been invaluable partners for our investment firm’s expansion into co-development of specialty pharmaceutical drugs. As we made the transition from more traditional VC investing to direct drug development collaborations, the team at Ronin have utilized their deep domain expertise in cross border pharma to help us set up an effective and compliant structure for our project. I would highly recommend Ronin to any organization in the life sciences space that is looking for legal partners with in depth understanding of the various nuances of this dynamic sector.

Zarvaan Merchant

Managing Director, Spektar Therapeutics

I’ve been very happy with Ronin’s ability to ramp resources up or down depending on what we require in a particular week or month. In addition, the ability to connect with multiple lawyers across jurisdictions quickly (US, UK, UAE, Singapore), help us to assess international law firms and then work with them to get the best legal advice is very appreciated.

Bhuvan Srinivasan

Chief Business Officer, Ultrahuman

Shantanu and the Ronin team have been very pragmatic and responsive business partners, working with Konfer – an agentic genAI product for confident continuous compliance to Regulations. They analysed the state of AI regulation in various countries, and reviewed the EU AI Act and other relevant AI legislation offerings of our product. The team’s ability to align complex legal information to product offerings has been invaluable to us. Ronin Legal has negotiated our business contracts for partnerships. They’re solution-oriented and cost-effective, and I would highly recommend Ronin Legal to startups and tech companies everywhere, and especially those building AI powered businesses.

Debu Chatterjee

CEO, Founder, Konfer.AI.

I have worked with the Shantanu, and his team, for a number of years during which time his insight and acumen have helped us greatly in the negotiation of a number of pharmaceutical licensing agreements and in the formation of new subsidiaries. I thoroughly recommend Ronin Legal to anyone seeking advice and guidance in pharmaceutical deal making.

Damon Smith

Chairman, Altus Group of Companies

Shantanu and team Ronin were meticulous, detailed, persevering and most importantly batting entirely for our side through our seed round fundraise and beyond. They were always approachable, available and balancing principle with pragmatism. I would highly recommend the team for any startup related legal matter.

Abhik Ghosh

Founder, 26 Décor

First of all, of behalf of SIIX Corporation, we wish to congratulate you & team on the launch of your new website!

 

We are very happy to be engaged with you & your professional team on our business venture in India and on establishing our JV initiatives. With your expertise, integrity, and commitment to providing trusted legal guidance, we truly believe to achieve our goals and successfully complete our JV partnership and, to expand our business in India with your support.

Shanmugam Gurusamy

Managing Director, SiiX India Private Limited

Ronin Legal has become an integral part of our deal process. Their solution-oriented mindset, combined with consistently high-quality work and exceptional responsiveness, makes contract negotiations smoother and more efficient. They truly understand our business needs

Dr. Madeha Khan

Working with Shantanu and Ronin Legal has been truly transformative for my startup. From our very first meeting, Shantanu stood out with his approachable manner and deep commitment to understanding my business. He consistently showed genuine interest and empathy, always providing clear, practical advice that’s perfectly tailored to our needs.

 

What truly sets Shantanu and Ronin Legal apart is their unique blend of legal expertise and a true partnership mindset. They deeply understands the challenges of building a startup, cutting through jargon to give advice that’s actually useful and helping us avoid costly mistakes without any pressure. It feels less like a traditional client relationship and more like having a dedicated co-pilot invested in our journey. They have become an invaluable ally, that we trust and depend on.

Tani Tasopoulou

Founder & CEO, OrgDesignWays Consulting

I cannot speak highly enough about the exceptional service provided by Ronin Legal. Their team made what could’ve been a complicated and stressful IP process feel smooth and manageable. From the outset, their team demonstrated a deep understanding of intellectual property law, offering not only expert legal guidance but also a strategic mindset advising on protection of our brand in various regions. They were responsive, thorough, and truly acted as partners in safeguarding our IP assets. Their attention to detail, clarity in communication, and professionalism gave us complete confidence throughout the process thus far. I wouldn’t trust anyone else with our intellectual property.

Karen Liao

The Wrong Gym

In The Media

MAPPING THE LANDSCAPE — INAUGURAL ISSUE: Private Wealth, Complex Assets & Cross-Border Matters
How the UAE Ensures Your Biometric Data is Protected: A Closer Look
What Biden's Support To TRIPS Waiver Proposal Means For The Fight Against Covid-19 Pandemic
Deep Pockets, Strong Relations: Corporate Hope for COVID Shots
Jab of Indemnity: A Lowdown on Why This Features on Pfizer, Moderna Wish List
Slouching towards oversight - artificial intelligence and the law
Fitness Wearables and the Law Part III: India
E-pharmacies and the law: an uneasy balance
America’s AI Action Plan: A Heady Cocktail of Techno-optimism, Culture Wars and Geopolitics
The Increased Need to Protect Health Data Privacy in a post- Roe World
Oracle, Cerner, and the Quest for Health Care Data
The ADGM’s New Cyber Risk Management Framework: A Closer Look
Fitness Wearables and the Law in EU
How Do We Regulate Chatbots? A Closer Look
How is Biometric Data Protected Under Indian Law?
Is Your Watch FDA Approved? Fitness Wearables and the Law
Cabinet Decision No. 35 of 2025: When Do Foreign Entities Owe UAE Tax?
The Regulation of Telemedicine: A Global Comparative Analysis
View All

Legal updates

When Can Personal Data Be Processed for Research in The EU And UAE?
June 25, 2026

When Can Personal Data Be Processed for Research in The EU And UAE?

How Does Saudi Arabia Regulate Healthtech and SAMDS?
June 24, 2026

How Does Saudi Arabia Regulate Healthtech and SAMDS?

India’s Top Court Proposes Rules for Use of AI in Courts
June 8, 2026

India’s Top Court Proposes Rules for Use of AI in Courts

View ALL

Stay Updated.

To subscribe to our newsletter, click on the link below

SUBSCRIBE NOW

Copyright © 2025  |  Ronin Legal   |   Website Maintained by LawStrings Management  |  Privacy Policy  |  Cookie Policy  |  Terms of Use

Leave Us A Message

Cookie Consent with Real Cookie Banner