The European Biotech Act Meets the GDPR: What the EDPB-EDPS Joint Opinion 3/2026 Means for Clinical Trials, AI and Health Data

Why this matters

On 16 December 2025, the European Commission published its Proposal for a European Biotech Act — a sweeping piece of legislation aimed at making the EU a more competitive home for biotechnology and biomanufacturing, particularly in health. The Proposal touches multiple existing regulations, but the most significant data protection implications arise from its proposed overhaul of Article 93 of the Clinical Trials Regulation (CTR), its introduction of regulatory sandboxes across several health domains, and its treatment of AI in the medicinal product lifecycle.

On 10 March 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) jointly adopted their response: the EDPB-EDPS Joint Opinion 3/2026. Published on 12 March 2026, the Opinion is broadly supportive of the Proposal’s ambitions but sets out a substantial list of recommendations aimed at ensuring that the drive to simplify and accelerate biotech innovation does not dilute the protections guaranteed by the GDPR and the EUDPR (Regulation 2018/1725) for some of the most sensitive categories of personal data processed in Europe — health data and genetic data.

For sponsors, investigators, biotech developers, AI providers and the advisors who support them, the Joint Opinion is essentially a preview of where the legislative text is likely to be tightened during negotiation. Organisations that read it now will be better positioned to anticipate their future obligations.

This briefing walks through the most important themes.

1. A single legal basis for clinical trial processing — finally

One of the clearest wins in the Proposal is the attempt to establish a single, harmonised legal basis for the processing of personal data by sponsors and investigators during clinical trials. Under the proposed Article 93(1) and (2) CTR, that processing would rest on a legal obligation under Article 6(1)(c) GDPR, with special category data processed under the research and public-health derogations of Article 9(2)(i) and (j) GDPR.

This is a meaningful step. Under the current framework, sponsors and investigators have grappled with fragmented interpretations across Member States, with some relying on consent, others on public interest, and others on legal obligation — a patchwork that created compliance risk and slowed multi-country trials.

What the EDPB and EDPS want tightened

While supportive of the single-legal-basis approach, the Joint Opinion recommends several refinements:

• Necessity language. The provisions should state explicitly that processing is required “where such processing is necessary” for the listed purposes, reinforcing the principle of proportionality.
• Monitoring under Article 48 CTR should be added to the list of purposes for which sponsors, and where relevant investigators, process data.
• Terminology alignment with the GDPR. “Perform research activities” should be replaced with “conducting scientific research” to match the vocabulary used in Article 9(2)(j) GDPR and Article 89.
• Richer protocol content. Annex I, Part I, point D of the CTR should describe the scope of processing in concrete terms — processing operations, categories of personal data, necessity, categories of data subjects, recipients, disclosure purposes, and retention periods.

The consent withdrawal question

A subtle but important point: the Proposal would remove the current Article 28(3) CTR wording that protects the validity of results obtained before a participant withdraws informed consent. The Joint Opinion flags this and recommends that Article 28 CTR set out clearly the conditions under which data obtained before withdrawal may continue to be used, along with additional safeguards — for example, an obligation on controllers to explain why data is retained despite withdrawal. Equivalent clarifications are recommended for participants unable to consent themselves (incapacitated subjects, minors, emergency inclusions).

Practical takeaway: Sponsors should begin mapping which of their current processing activities currently sit under Article 6(1)(a) consent and prepare to re-document them under Article 6(1)(c). Crucially, this is about the legal basis for data processing, not about informed consent to participate in the trial — two concepts the EDPB has long emphasised must not be conflated.

2. Controllership: who is actually responsible?

Proposed Article 93(4) CTR designates sponsors and investigators as controllers within the meaning of Article 4(7) GDPR. The EDPB and EDPS welcome this explicit allocation — it provides legal certainty that has been missing — but they flag two significant ambiguities.

First, the Proposal does not clarify whether sponsors and investigators act as independent or joint controllers. The Joint Opinion recommends that, where they jointly determine purposes and means, they should be treated as joint controllers under Article 26 GDPR, with co-sponsors under Article 72 CTR also qualifying as joint controllers.

Second — and this is a point that deserves attention from hospital groups and academic medical centres — the Proposal designates the individual investigator as controller. In practice, investigators are usually physicians or medical staff acting under the authority of a clinical trial site. Making them personally liable for GDPR compliance is a heavy allocation. The Joint Opinion invites co-legislators to consider attributing controller responsibility instead to the clinical trial site (the organisation), with the principal investigator acting on its behalf.

This is the kind of structural question that will shape internal governance — DPA templates, indemnification clauses in site contracts, DPO coverage, and training obligations all depend on how this is ultimately resolved.

3. Retention periods: the 25-year myth, debunked

Proposed Article 93(5) CTR cross-refers to Article 58 CTR, which requires clinical trial master files to be archived for at least 25 years. A common misreading treats this as a blanket 25-year retention period for all clinical trial personal data.

The Joint Opinion is unambiguous: the 25-year minimum applies only to personal data contained in the Clinical Trial Master File, not to every piece of personal data processed during a trial. Beyond that period, storage must comply with the storage limitation principle of Article 5(1)(e) GDPR — data should be kept only for as long as necessary for the purposes being pursued.

Practical takeaway: If your retention schedule applies a uniform 25-year rule to all trial-related personal data, it is almost certainly over-retentive. This is a prime candidate for re-examination, ideally before this becomes a supervisory authority focus area.

4. Further processing for research: proceed with care

Proposed Article 93(6) CTR permits the same controller to further process personal data for other clinical trials or for scientific research aimed at protecting public health, improving standards of care, and “fostering the innovation capacity of European medical research.”

The EDPB and EDPS welcome the intent to provide a clear legal basis for secondary use, but they identify several concerns:

1. The legal basis should be spelled out. The Joint Opinion recommends that the recitals state explicitly that Article 93(6) provides a legal basis under Article 6(1)(e) GDPR (public task) — except where the further processing itself falls under Article 93(1) or (2), in which case Article 6(1)(c) applies.
2. The purposes are too broad. The phrase about “fostering the innovation capacity of European medical research” is open to wide interpretation and should be defined more precisely and restrictively.
3. Specific safeguards are needed. Article 6(3) GDPR requires any legal basis to be clear and foreseeable. The Joint Opinion recommends safeguards in line with Article 89 GDPR: enhanced transparency to data subjects, the right to object (subject to the conditions in Article 21(6) GDPR) and the right to erasure (subject to the conditions in Article 17(3)(d) GDPR), pseudonymisation where direct identification is not needed, governance structures for oversight, and confidentiality obligations for researchers.

For sponsors planning real-world evidence programmes, longitudinal follow-up studies, or AI model training on trial data, this is the provision to watch.

5. Pseudonymisation is about to become a near-default

A theme runs through almost every section of the Joint Opinion: pseudonymise whenever direct identification is not necessary.

The EDPB and EDPS recommend that proposed Article 93(8) CTR explicitly require pseudonymisation where processing directly identifiable data is not required. They make the same recommendation for:

• Sharing personal data with competent authorities and the Commission under the proposed Article 93(3) CTR — access should be limited to what is strictly necessary, and pseudonymised where direct identification is not needed.
• Further processing under Article 93(6) CTR.
• The technical and organisational measures described in Annex I, Part I, point D CTR, which should also cover integrity and confidentiality controls, encryption, and access restrictions — mirroring the last sentence of Recital 151 of the Proposal.

This aligns with the EDPB’s Guidelines 01/2025 on Pseudonymisation, which have been moving pseudonymisation from a “nice to have” toward a de facto expectation in many regulated contexts.

Practical takeaway: Revisit your data flow diagrams. For each transfer to a competent authority, to a contract research organisation, to a biostatistics vendor, to an AI provider — ask whether direct identifiers are truly needed. If not, pseudonymise at the source.

6. Informed consent by electronic means — but not only via the EU Wallet

The Proposal introduces the possibility of providing informed consent electronically, signed using electronic identification means under the eIDAS Regulation or equivalent standards. This is a welcome modernisation, particularly for decentralised trials.

However, the Joint Opinion makes an important point: under Article 5a(15) of the eIDAS Regulation, use of the European Digital Identity Wallet (EDIW) must be voluntary. The EDPB and EDPS recommend that the proposed Article 29(1) CTR be amended to make this explicit, and to confirm that participants who do not use or cannot use electronic identification means must still be able to provide informed consent through other existing identification and authentication routes — without being disadvantaged.

This is a fundamental rights point: access to clinical research should not be gated by the use of a particular digital tool.

7. Regulatory sandboxes: useful tools, but the GDPR still applies

The Proposal introduces several regulatory sandboxes:

• For clinical trials (proposed Article 27d CTR).
• For novel health biotechnology products (Article 40).
• For specific food-related innovations (Article 56(7), amending the Food Law Regulation).
• For substances of human origin, or SoHO (Article 61).

The Joint Opinion’s message across all of these is consistent: a sandbox is not a derogation from data protection law. The GDPR and EUDPR remain fully applicable, and any “regulatory adaptations” granted in a sandbox cannot override them unless a specific, properly adopted derogation exists.

Where personal data will be processed in a sandbox, the Joint Opinion recommends that:

• The implementing act (or sandbox plan) identifies the legal basis under Article 6 GDPR and the Article 9(2) derogation for any special category data.
• The implementing act or plan defines the categories of personal data, the modalities of processing, and the safeguards for data subjects’ rights and freedoms.
• National supervisory authorities remain responsible for oversight of data protection aspects, with the EDPB and EDPS playing an advisory role to ensure consistency, particularly in cross-border sandboxes.

For the clinical trial sandbox specifically, the Joint Opinion cross-refers to the EDPB-EDPS Joint Opinion 1/2026 on the Digital Omnibus on AI, which addressed AI sandboxes and the role of supervisory authorities and the EDPB.

Practical takeaway: If your organisation is considering participating in a sandbox, treat GDPR compliance as a foundation, not a negotiable. Budget for a DPIA and early engagement with your lead supervisory authority.

8. AI in clinical trials: a new layer on top of the AI Act

Proposed Article 27e CTR introduces new obligations on sponsors who intend to use AI models or AI systems in clinical trials. Sponsors must evaluate benefits and risks to patient safety and data robustness, and must describe the specific purpose and process of AI use in the protocol.

The Joint Opinion makes three significant recommendations:

1. Clarify that these obligations apply in addition to the AI Act. The interaction between the Biotech Act and Regulation (EU) 2024/1689 is currently only hinted at in Recital 157, which is insufficient.
2. Scope the AI Act research exemption carefully. Under Article 2(8) of the AI Act, the AI Act does not apply to research, testing or development activity regarding AI systems or AI models prior to their being placed on the market or put into service. The Joint Opinion asks the co-legislators to clarify how this interacts with the research activities envisaged under the Proposal.
3. Involve the EDPB in EMA guidance. When the European Medicines Agency develops guidance under Article 31 of the Proposal on the use of AI in the medicinal product lifecycle, it should cooperate with the EDPB on data protection aspects. The same applies to the guidance underpinning sponsor AI risk assessments under the proposed Article 27e(4) CTR.

The Joint Opinion cites Recital 158 of the Proposal, which acknowledges that untested AI systems can introduce bias and errors leading to misdiagnosis, incorrect treatment, or inaccurate patient selection — risks that are particularly serious in large trials. This framing is important: the Proposal recognises that AI risk in clinical research is not just a quality issue, it is a rights issue.

9. Biotechnology data quality accelerators and testing environments

Articles 32 and 33 of the Proposal introduce two forms of “high impact health biotechnology strategic projects”:

• Biotechnology testing environments (Article 32) — trusted environments for advanced health biotechnology innovations enabled or enhanced by AI.
• Biotechnology data quality accelerators (Article 33) — projects that curate, maintain and improve high-quality datasets for training, validating and testing AI systems in health biotechnology.

For both, the Joint Opinion recommends:

• Explicit consultation with supervisory authorities (or the EDPS, where relevant) when the Commission or designated national authority assesses compliance with EU and national law, where personal data is involved.
• For data quality accelerators specifically, the Commission’s implementing act should specify the modalities of processing — categories of data, roles of participating entities, recipients of the curated data, and safeguards — and should reflect the Article 5 GDPR principles, with suitable and specific technical and organisational measures for special category data.
• Clarification that Article 33(4) provides a legal basis under Article 6(1)(e) GDPR only for the improvement, standardisation and curation of data by entities that already lawfully hold it — not for the initial collection of that data.

This last point is important: the legal basis for the original collection of clinical or health data must be established elsewhere — under the CTR, Member State health law, or other applicable EU instruments. The Biotech Act does not — and should not — cure upstream gaps.

10. Verification of legitimate need: biodefence with data minimisation

Article 44 of the Proposal requires economic operators to verify the legitimate need of prospective customers before supplying certain biotechnology products of concern, including obtaining proof of identity. Economic operators must also report suspicious transactions to national contact points.

Given that prospective customers may be natural persons (as Recital 92 acknowledges), the Joint Opinion recommends that further guidance — for example, in the guidelines referred to in Article 54(c) — specify which identity data may be collected, with the data required being adequate, relevant and limited to what is necessary (Article 5(1)(c) GDPR).

The Joint Opinion also recommends clarifying the meaning of “relevant factors” in the definition of suspicious transactions, for example by cross-referring to the circumstances listed in Article 46(1) of the Proposal. Clarity here matters both for the reliability of biodefence reporting and for ensuring that economic operators do not over-collect or over-report personal data.

What organisations should do now

The Joint Opinion is not binding, but it is highly influential — EDPB-EDPS recommendations are routinely incorporated into final legislative texts during trilogue. Organisations working in the affected sectors can use this moment productively:

1. Sponsors and CROs: Map your current clinical trial processing against the proposed Article 93 CTR framework. Identify where legal basis, retention, controllership, and pseudonymisation practices would need to change.
2. Clinical trial sites and hospitals: Consider your exposure if individual investigator controllership is retained in the final text — and how your DPAs and site agreements would adapt if responsibility shifts to the organisation.
3. Biotech developers planning to use sandboxes: Do not assume any relaxation of GDPR obligations. Build DPIA and legal basis analysis into your sandbox application from the start.
4. AI providers serving the life sciences: Follow the interaction between the Biotech Act, the AI Act, and the Digital Omnibus on AI closely. The obligations are accumulating, and the research exemption in the AI Act is narrower than it first appears.
5. Data protection and AI governance teams: Use the Joint Opinion as a structured checklist when reviewing contracts, protocols, and DPIAs for health data and AI projects.

Closing thought

The Joint Opinion reflects a theme the EDPB articulated clearly in its Helsinki Statement of July 2025: innovation and fundamental rights are not in opposition. Simplification of the regulatory framework is welcome — but only to the extent that it genuinely clarifies obligations, rather than hollowing them out.

For organisations operating at the intersection of AI, biotechnology and health data, the message is practical: build your governance on the assumption that the standard of protection will remain high, that pseudonymisation will be an expectation rather than an option, and that the interaction between sectoral laws and the GDPR will be scrutinized carefully. The organisations that treat the Joint Opinion as a roadmap — rather than a list of objections to negotiate around — will be the ones best positioned when the final Regulation enters into force.

Further reading

• EDPB-EDPS Joint Opinion 3/2026 on the Proposal for a European Biotech Act (full text, EDPB website)
• Proposal for a European Biotech Act (European Commission, DG SANTE)
• Regulation (EU) No 536/2014 — Clinical Trials Regulation
• Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR)
• Regulation (EU) 2018/1725 — EUDPR (data protection rules for EU institutions, bodies, offices and agencies)
• Regulation (EU) 2024/1689 — Artificial Intelligence Act
• Regulation (EU) 2024/1183 — eIDAS amending Regulation (European Digital Identity Framework)
• Regulation (EC) No 178/2002 — Food Law Regulation
• Regulation (EU) 2024/1938 — Substances of Human Origin (SoHO) Regulation