Is commercial R&D still ‘scientific research’ under the GDPR?

If you as a company use personal data for innovation or product development, qualifying that activity as ‘scientific research’ is important to take advantage of a more flexible regime within the General Data Protection Regulation (GDPR). However, recent advice from European regulators threatens to severely restrict this definition, pushing commercial research and development (R&D) into a legal twilight zone. Below, we dissect this shift and provide strategies to secure your data-driven innovation.

The original balance: innovation anchored in the GDPR

The GDPR was never designed to inhibit scientific progress. On the contrary, the legislator deliberately provided a flexible regime for data processing in the context of scientific research. This is expressed in practice by important exceptions to the purpose limitation principle: further processing of personal data for scientific research is considered compatible with the original purposes.

In addition, recital 159 of the GDPR explicitly clarifies that the processing of personal data for scientific research purposes should be interpreted broadly. This broad interpretation includes technological development and demonstration, fundamental research, applied research as well as privately funded research. The legislator thereby recognized that science is not exclusively reserved for academic institutions, but also takes place in a commercial context.

The condition for this flexible regime is not the absence of a profit motive, but the presence of strict safeguards. Article 89(1) of the GDPR requires that appropriate technical and organizational measures, such as pseudonymization, be taken to protect the rights of data subjects and ensure data minimization.

European regulator's attack on commercial research

The European Commission recently tried to increase legal certainty through a proposal for a ‘Digital Omnibus‘, which would legislate the broad definition of scientific research - including research that supports innovation and commercial interests.

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) responded with a joint opinion (Joint Opinion 2/2026) that proposes a significant change in direction. They recommend removing references to innovation and commercial interests from the binding definition. Instead, they want to introduce criteria such as:

• The study should be conducted in an “autonomous and independent manner”.
• The research should lead to “verifiable and transparent results,” with an emphasis on the public availability of these results.
• Product research and development (R&D) does not necessarily constitute scientific research, although it can support innovation.

These criteria are at odds with the realities of private R&D, clinical product development and trade secrets, where controlled disclosure is often necessary.

The impact on the private sector and innovation

When the qualification of ‘scientific research’ becomes dependent on institutional independence and the obligation to share results publicly, it functions as an exclusion mechanism for private actors. The consequences of this in practice are significant:

• Loss of the exception to goal binding: Companies may find it much harder to reuse data originally collected for another purpose for internal algorithm training or product improvement.
• Issues with retention periods: Data may be stored for longer periods for scientific research. If r&d loses that stamp, data must be destroyed more quickly.
• Legal uncertainty and ‘chilling effects. Compliance departments will curtail projects, stop data sharing or refuse to participate in cross-border and public-private partnerships out of risk aversion.

The regulators' vision risks creating a system in which the focus shifts from how safely the research is conducted (the safeguards), to who conducts it and for what societal or commercial purpose. However, in highly regulated industries, such as clinical product development, scientific integrity is safeguarded by strict protocols, ethics committees and audits, even if commercialization is the end goal. Industry has traditionally been an engine for scientific breakthroughs; excluding commercial R&D ignores how modern science actually works.

Strategic steps for your business

Given the evolving and more restrictive interpretation by regulators, it is recommended that companies proactively optimize their data processes and R&D structures to safeguard the qualification of scientific research:

1. Implement robust and demonstrable safeguards: Embed the requirements of Article 89 of the GDPR into your systems. Ensure thorough pseudonymization, strict access management (split-key models) and data minimization. The stronger the technical separation, the better you can demonstrate that privacy risks are minimal.
2. Formalize independence and methodology: Integrate ‘independence’ as an attribute of good governance rather than a mere institutional feature. Provide audit trails, transparent methodological protocols, conflict management mechanisms, and possibly oversight by ethics committees or independent experts.
3. Provide responsible dissemination policies: If you cannot fully disclose results because of intellectual property rights, then document a dissemination path appropriate to your industry, such as filings with regulatory agencies, patent applications or controlled disclosures to industry peers.

Frequently asked questions (FAQ)

Do I have to publicly publish the results of my commercial R&D project to count as ‘scientific’ under the GDPR?
Although regulators such as the EDPB prefer public availability as evidence of transparency, a strict reading of the GDPR does not absolutely require it. Transparency can also be achieved through reporting to regulators, supervisory inspections or structured and controlled disclosure, while keeping commercially sensitive information protected. It is important to properly document your specific dissemination policy.

Does the GDPR exclude commercial interests in research?
No. Recital 159 of the GDPR explicitly specifies that scientific research is to be interpreted broadly and includes “privately funded research.” The debate currently revolves around where the line is drawn between pure product optimization and actual methodological scientific research.

Legal support for complex data innovation

The dividing line between commercial R&D and scientific research is a current and complex risk area within data protection law. Regulators are looking increasingly critically at the legal grounds companies use for their data processing.