Back

The biotech act: the watershed of the edpb-edps Joint opinion 3/2026 on clinical trials

13/04/2026
Silvia Stefanelli

article published on Agenda Digitale

On 10 March 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted Joint Opinion 3/2026 on the proposed European Biotechnology Regulation — the so-called European Biotech Act (COM(2025) 1022 final/2). This is a document worth reading carefully: not only because it contains precise technical recommendations, but because it signals a paradigm shift in the way European data protection authorities engage with biomedical innovation.

The wind does seem to be changing.

On the data protection front, the Proposal contains significant novelties for clinical trials: it moves beyond consent as the legal basis, establishes a single harmonised legal basis applicable across all Member States, expressly permits further processing of data after the trial, and — crucially — prohibits Member States from imposing additional conditions pursuant to Article 9(4) GDPR.

On all these points, the tone of the Joint Opinion is constructive and forward-looking: EDPB and EDPS do not merely flag risks — they back the Proposal’s objectives, support its underlying approach and offer technical suggestions to strengthen it. This position reflects the commitments made in the Helsinki Statement of July 2025 and has concrete, immediate implications for those working in the digital life sciences.

Let us start with a brief overview of the Biotech Act before examining what will change in the world of data protection.

The biotech act: what it is and why it was proposed

On 16 December 2025, the European Commission presented the Proposal for a Regulation establishing a framework of measures for strengthening the Union’s biotechnology and biomanufacturing sectors, in particular in the area of health — COM(2025) 1022 final/2, CELEX 52025PC1022. It is the first EU legislative act dedicated in a comprehensive manner to health biotechnologies, and one of the most ambitious of the von der Leyen II Commission.

The context is clear: the EU generates world-class research but struggles to translate it into competitive products. The gap with the United States and China in the biotech sector is significant and growing. The Proposal seeks to address this by acting on multiple fronts simultaneously: access to financing, regulatory simplification, use of artificial intelligence (AI) throughout the medicinal product lifecycle, and strengthened biosecurity.

On the technical side, the Proposal amends six existing regulations:

  • (EC) No 178/2002 (food law)
  • (EC) No 1394/2007 (advanced therapy medicinal products — ATMPs)
  • (EU) No 536/2014 (clinical trials — CTR)
  • (EU) 2019/6 (veterinary medicinal products)
  • (EU) 2024/795 and Reg. (EU) 2024/1938 (substances of human origin — SoHO)

The amendments to Reg. (EU) No 536/2014 are the most significant for data protection practitioners. The Joint Opinion proposes to replace Article 93 CTR in its entirety, introducing a coherent and harmonised framework for the processing of personal data in clinical trials — a field that has suffered from deep fragmentation: divergent legal bases, inconsistent approaches to informed consent, and additional safeguards imposed unilaterally by each Member State.

On 18 December 2025, the Commission formally consulted the EDPB and EDPS pursuant to Article 42(2) EUDPR (Reg. (EU) 2018/1725). Joint Opinion 3/2026, adopted on 10 March 2026, is the outcome of that consultation.

The Proposal is subject to the ordinary legislative procedure (Article 294 TFEU). The final text may differ substantially from the Commission’s proposal. Estimated timeline: adoption 2027, application 2027–2028.

Analysis of the joint opinion

Let us now examine the revised Article 93 as proposed, along with the recommendations that Joint Opinion 3/2026 addresses to the EU legislature.

The Legal Basis

Article 93(1) and (2) establish a closed list of purposes for which sponsors and investigators are required — not merely permitted — to process personal health data. For sponsors (paragraph 1): submission of authorisation applications, conduct of research activities in accordance with the protocol, safety operations and reporting, recording and storage of information, archiving, and submission of results to the EU portal. For investigators (paragraph 2): research activities, safety reporting, recording, and archiving.

A technical note relevant for DPOs: the overall framework that emerges is legal basis under Article 6(1)(c) GDPR + exception under Article 9(2)(i) or (j) GDPR + specific safeguards under proposed Article 93(8) CTR. This is a coherent structure, but it requires updating records of processing activities and data subject information notices currently grounded in consent.

Paragraph 3 requires sponsors and investigators to make personal data available to the competent authorities of the Member States for oversight purposes (Article 78 CTR) and to the Commission for control purposes (Article 79 CTR).

The Joint Opinion intervenes with a principled recommendation grounded in data minimisation: access to participants’ personal data must occur only to the extent necessary for the exercise of the authorities’ functions. Where possible, data must be shared in pseudonymised form — in line with EDPB Guidelines 01/2025 on pseudonymisation (paragraph 17). The Opinion further suggests inserting into a recital concrete examples of situations in which access to directly identifiable data becomes necessary: a specification that would enhance the predictability of the provision, as required by Article 52(1) of the EU Charter of Fundamental Rights.

Controllership of the Data

Article 93(4) designates sponsors and investigators as controllers within the meaning of Article 4(7) GDPR. The Opinion welcomes this explicit designation in the operative part of the measure, consistent with the case law of the Court of Justice of the European Union (CJEU): the legislative designation of a controller is valid where the purposes and means of processing derive with sufficient certainty from the role conferred by law (CJEU, 27 February 2025, Amt der Tiroler Landesregierung v Datenschutzbehörde, C-638/23, ECLI:EU:C:2025:127, paragraphs 28 and 37; CJEU, 11 January 2024, État belge v Autorité de protection des données, C-231/22, ECLI:EU:C:2024:7, paragraph 30).

The Opinion raises, however, two practical concerns that the co-legislators are invited to resolve.

  1. Sponsors and investigators: independent controllers or joint controllers? Where sponsors and investigators jointly determine the purposes and means of processing, they must be considered joint controllers pursuant to Articles 4(7) and 26 GDPR, with a mandatory written arrangement governing the allocation of responsibilities. The same applies to co-sponsors under Article 72 CTR (paragraphs 22–23).
  2. The individual investigator as controller? The term “investigator” under Article 2(15) CTR refers to the individual responsible for conducting the trial — often a physician acting within an institution. Designating that individual as a controller makes them personally responsible for GDPR compliance. The Opinion invites the co-legislators to consider whether it would be more appropriate to attribute controllership to the organisation — the clinical trial site — of which the investigator is part (paragraph 25).

Retention Period: 25 Years, but only for the Master File

Paragraph 5 links the retention of personal data to Article 58 CTR, which prescribes a minimum retention period of 25 years from the conclusion of the trial for the contents of the master file.

The Opinion’s recommendation is one of terminological precision, but it carries significant operational consequences: the 25-year period applies exclusively to personal data contained in the master file, not to all personal data processed during the trial (paragraph 26). This distinction is important for calibrating data retention policies correctly. Once the minimum retention period has elapsed, the storage limitation principle under Article 5(1)(e) GDPR applies in full: data must not be kept longer than necessary (paragraph 27).

Further Processing: A Legal Basis, Yes — but More Precision Is Needed

Paragraph 6 is among the most anticipated provisions for industry: it establishes that personal data collected during a trial may be further processed by the same controller for other clinical trials conducted pursuant to the CTR, or for scientific research aimed at protecting public health, improving standards of care, and fostering the innovation capacity of European medical research.

The Joint Opinion recognises the value of this provision and recommends clarifying in the recitals that it provides a legal basis pursuant to Article 6(1)(e) GDPR (processing in the public interest), in accordance with the requirements of Article 6(3) GDPR (the legal basis must be established by Union or Member State law).

No More Additional National Conditions: The Systemic Breakthrough

This is the most important paragraph in the entire Article 93 for those conducting clinical research in Europe. By way of explicit derogation from Article 9(4) GDPR, proposed Article 93(7) provides that Member States may not maintain or introduce further conditions — including limitations — with regard to the processing of personal data in trials conducted pursuant to the CTR.

To appreciate the significance of this provision, consider that Article 9(4) GDPR currently allows Member States to impose additional requirements for the processing of sensitive data. Several national legal orders have used this opening in the clinical trials context: requiring GDPR consent as an additional legal basis for processing, introducing limitations on the categories of data that may be processed, or imposing specific formalities before national data protection authorities (DPAs). The Italian Privacy Code, for instance, builds on this provision in its Articles 110 and 110-bis.

The result has been a patchwork of national regimes that turns every multinational trial into a different regulatory due diligence exercise in each Member State.

The Proposal closes this chapter. And Joint Opinion 3/2026 raises no objection to this paragraph: a silence that amounts to full endorsement.

Artificial Intelligence In Clinical Trials: The New Article 27f CTR

The Biotech Act also introduces into the CTR a dedicated provision on the use of AI in clinical trials: the new Article 27f. It is a long-awaited provision, formalising for the first time specific obligations for sponsors that use AI models or systems in the context of a clinical study.

The obligations are twofold.

First: assess the benefits and risks to patient safety and data reliability arising from the use of AI.

Second: provide in the protocol specific information about the purpose of use and a description of the processes in which the AI systems are deployed.

The assessment must take account of the non-binding guidelines that the European Medicines Agency (EMA) will develop pursuant to Article 31 of the Proposal.

The Joint Opinion addresses three specific aspects.

  1. Relationship with the AI Act. Recital 157 of the Proposal refers to compliance with the AI Act (Reg. (EU) 2024/1689) only in general terms. It is not clear whether the obligations under Article 27f apply in addition to those under the AI Act or replace them. The EDPB and EDPS recommend clarifying this directly in the text: the two regimes are cumulative (paragraph 53). It should also be noted that the AI Act, pursuant to Article 2(8), does not apply to research, testing or development activities relating to AI systems or models prior to their placing on the market: in the early stages of developing AI systems used in trials, there may therefore be a regulatory gap that the co-legislators will need to address.
  2. Risks for data subjects. The Opinion recalls Recital 158 of the Proposal, which lists concrete risks: gender and other biases, errors in interpreting clinical data, misdiagnoses, inaccurate patient selection — particularly serious in large-scale trials. For this reason, the EDPB and EDPS recommend including an obligation for the EMA to cooperate with the EDPB in developing the guidelines under Article 27f, specifically as regards the protection of personal data (paragraph 55).
  3. AI regulatory sandboxes. Article 27e CTR provides that clinical trial regulatory sandboxes may be coordinated with those established under the AI Act. The Opinion refers back to the recommendations in Joint Opinion 1/2026 on AI sandboxes — in particular, the request that the EDPB have an advisory role to ensure consistency on data protection aspects (paragraph 52; Joint Opinion 1/2026, paragraphs 28–29).

Conclusions and next steps

Joint Opinion 3/2026 reads like a document shaped by a new vision.

It is not the defensive response of authorities concerned with guarding perimeters: it is the constructive contribution of institutions seeking to be co-protagonists in building the normative framework for European innovation. The technical recommendations are precise and well-grounded, but the underlying tone is one of support.

The three major openings that the Opinion welcomes are clear:

  • Harmonised legal basis: the processing of personal data in clinical trials is at last grounded in a single legal basis across Europe — the legal obligation under Article 6(1)(c) GDPR — freed from the patchwork of national consent-based approaches.
  • Further processing expressly lawful: trial datasets will be reusable for further clinical trials and scientific research, with an express legal basis that eliminates the interpretative uncertainties of recent years.
  • End of additional national conditions: the Article 9(4) GDPR clause will no longer be available to Member States to layer additional requirements on clinical trials. This is a choice that the scientific community and sponsors have long awaited.

On the legislative calendar, the road to final adoption is still long. Following the consultative Opinion (March 2026), the process continues in Parliament: the ENVI, ITRE and JURI committees will need to examine the text, with initial positions expected by end 2026 at the earliest. The Council of the EU will commence its technical work in parallel.

The codecision procedure makes adoption before the second half of 2027 unlikely, with application expected between 2027 and 2028. The Commission has also announced a Biotech Act II for 2026, to extend the framework to non-health sectors.

For those working in the digital life sciences, however, the message is clear: a new era is opening up.

 

Legislative References and Bibliography

Legislative Proposal

European Commission, COM(2025) 1022 final/2, Proposal for a Regulation — European Biotech Act, 16 December 2025. CELEX 52025PC1022. EUR-Lex: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52025PC1022

EDPB and EDPS Opinions

EDPB-EDPS, Joint Opinion 3/2026 on the European Biotech Act, 10 March 2026. https://www.edpb.europa.eu

EDPB-EDPS, Joint Opinion 1/2026 on the Digital Omnibus on AI, 20 January 2026. https://www.edpb.europa.eu

EDPB, Helsinki Statement on enhanced clarity, support and engagement, 2 July 2025. https://www.edpb.europa.eu

EDPB, Guidelines 01/2025 on pseudonymisation, 16 January 2025. https://www.edpb.europa.eu

EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, version 2.1, 7 July 2021. https://www.edpb.europa.eu

EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, version 1.1, 4 May 2020. https://www.edpb.europa.eu

EDPB, Opinion 3/2019 on the interplay between the CTR and the GDPR, 23 January 2019. https://www.edpb.europa.eu

Legislation

Reg. (EU) No 536/2014 (CTR), OJ L 158, 27.5.2014. ELI: http://data.europa.eu/eli/reg/2014/536/oj

Reg. (EU) 2016/679 (GDPR), OJ L 119, 4.5.2016. ELI: http://data.europa.eu/eli/reg/2016/679/oj

Reg. (EU) 2018/1725 (EUDPR), OJ L 295, 21.11.2018. ELI: http://data.europa.eu/eli/reg/2018/1725/oj

Reg. (EU) 2024/1183 (eIDAS II), OJ L 2024/1183, 30.4.2024. ELI: http://data.europa.eu/eli/reg/2024/1183/oj

Reg. (EU) 2024/1689 (AI Act), OJ L 2024/1689, 12.7.2024. ELI: http://data.europa.eu/eli/reg/2024/1689/oj

Reg. (EU) 2024/1938 (SoHO), OJ L 17.7.2024. ELI: http://data.europa.eu/eli/reg/2024/1938/oj

Case Law

CJEU, 27 February 2025, Amt der Tiroler Landesregierung v Datenschutzbehörde, C-638/23, ECLI:EU:C:2025:127

CJEU, 11 January 2024, État belge v Autorité de protection des données, C-231/22, ECLI:EU:C:2024:7

CJEU, 1 August 2022, OT v Vyriausioji tarnybinės etikos komisija, C-184/20, ECLI:EU:C:2022:601

CJEU, 24 February 2022, “SS” SIA v Valsts ieņēmumu dienests, C-175/20, ECLI:EU:C:2022:124

 

At the time of writing, COM(2025) 1022 is a proposal subject to the ordinary legislative procedure (Article 294 TFEU) and has not yet been adopted. References to articles are to the provisions as proposed by the Commission and subject to amendment. Joint Opinion EDPB-EDPS 3/2026 is available at https://www.edpb.europa.eu.

Health Law Data Protection
Share