Statement from the TMF on the Guidelines 01/2026 on the processing of personal data for scientific research purposes of the European Data Protection Board dated 15 April 2026
Berlin, June 25, 2026.
Downloads
1. Summary
The TMF, which has gained extensive experience in implementing and taking data protection into account in medical research through its involvement in or provision of advice on hundreds of projects over the past 25 years, welcomes any assistance in this regard. However, the very lengthy text of these guidelines fails in many places to achieve its aim of actually providing researchers with practical guidance. This is due, amongst other things, to the fact that even the data protection authorities involved in drafting the guidelines evidently hold disparate views on issues of interpretation that are already contentious in the literature; consequently, the text published here does not take a clear stance on these issues. Instead, there are instances where the wording tends to favour one interpretation, followed by instances where the wording aligns more closely with a contrary interpretation. This can be seen, for example, in the discussion of the compatibility of further processing with the original purposes of collection under Article 5(1)(b) of the GDPR. The issue here is whether the original legal basis for the collection is deemed sufficient – or indeed insufficient – for further processing. Unfortunately, amidst this back-and-forth, the actually very clear interpretative guidance in Recital 50, second sentence, of the GDPR is largely ignored. The same applies to the comments on ‘broad consent’ against the backdrop of the controversial interpretative guidance in Recital 33 of the GDPR. When two different interpretations of the GDPR are diametrically opposed in such instances, a compromise text unfortunately does nothing to assist those applying the law. It might be more helpful for all parties involved if the data protection authorities were able to disclose their indecision in such cases. Ultimately, this would also send a more honest signal to the legislator.
In addition, there is a discernible trend towards interpreting as narrowly as possible the potential scope and privileges afforded to scientific research under the GDPR within the framework of a risk-based approach. Whilst this trend does at times lead to clarity, it cannot be viewed unambiguously as assistance or support for research. Particular mention should be made here of the section on information obligations, in which the greater emphasis on a data-minimisation approach over the enforceability of all rights and obligations under the GDPR – as expressed in Articles 11(1) and 89(1) of the GDPR – is turned on its head.
Furthermore, the guidelines contain many observations that may well be helpful to various users. However, in light of the analysis presented here, we recommend a fundamental revision in line with the points mentioned.
2. Scope of processing of personal data for scientific research purposes
We have no comments on this section.
3. Data protection principles
Para.: 19
Text of the Guidelines: Under Article 5(1)(b) GDPR, further processing for scientific research purposes is presumed to be compatible with the initial purpose(s) of the processing29. Therefore, when further processing personal data for scientific research purposes it is not necessary to undertake the compatibility test, pursuant to Article 6(4) GDPR30. […]
Comment: The assessment made here – that a compatibility test under Article 5(1)(b) of the GDPR is not required in the case of further processing for scientific research purposes – is, in principle, understandable. However, the wording used in Article 5(1)(b) and Recital 50 of the GDPR (using ‘shall’ instead of ‘is’ and a double negative) allows for somewhat greater scope in the assessment than, for example, in the interpretative guidance on the lack of a need for a new legal basis in Recital 50, second sentence, of the GDPR (‘is’ instead of ‘shall’). When considering the assessment criteria set out in Article 6(4) of the GDPR and, somewhat more generally, in Recital 50 regarding the compatibility of further processing with the purposes for which the data was collected, it is striking that these criteria apply – if not always, then at least frequently – to processing carried out for scientific research purposes. Research frequently aims to improve certain aspects within the field from which data is drawn. For example, medical research using treatment data often aims to improve treatment. In this respect, there is frequently a connection between the purposes. Furthermore, risk-based criteria, such as data minimisation, are generally met in research. Against this background, the postulated principle of compatibility of further processing for scientific research purposes also becomes understandable, as in a typical, aggregated analysis that tends to disregard individual cases, the risks to data subjects are indeed very low (cf. Roßnagel, Art. 5 para. 104 at [1]). However, as this does not necessarily apply to all research projects, it is recommended that, where appropriate, even in the case of processing for scientific research purposes, an assessment in accordance with the criteria set out in Article 6(4) of the GDPR should be carried out to determine compatibility under Article 5(1)(b) of the GDPR.
Para.: 21
Text of the Guidelines: In this regard, the EDPB has previously stated that under certain conditions, and provided that appropriate safeguards have been adopted pursuant to Article 89(1) GDPR, a controller may be able to rely on the legal basis for the initial processing operations when further processing personal data for scientific research purposes32. However, the EDPB and the EDPS have also stated that the question of compatibility of purposes should not be confused with principle of lawfulness33. Therefore, the possibility to rely on the legal basis that the initial processing was based on requires an assessment of lawfulness to determine that this legal basis is also suitable to rely on for the further processing of personal data for scientific research purposes.
Comment: In fact, the principle set out in Article 5(1)(b) of the GDPR regarding the possible compatibility of further processing of personal data with the purpose of collection allows for different interpretations as regards the assessment of the legal basis for the collection. The recitals should therefore be consulted as the very first aid to interpretation, and Recital 50, second sentence, of the GDPR provides clear guidance on this point. Where further processing is compatible with the purpose of collection, no further legal basis distinct from that for the collection is required. Unfortunately, this clear guidance is obscured here, or is even directly contradicted. It is left open as to how an assessment should be carried out to determine whether the legal basis for the collection can also support further processing that is compatible with Article 5(1)(b) of the GDPR.
Para.: 22
Text of the Guidelines: In many cases controllers will be able to rely on the same legal basis, for example where a controller initially processed personal data on the basis of public or legitimate interest. It is, however, not always possible to rely on the same legal basis when further processing personal data for scientific research purposes. This applies in particular if the initial legal basis for the primary processing is consent or a legal obligation.
Comment: Here, certain categories of legal bases, such as consent and a legal obligation, are excluded from the possibility that they might also provide a basis for further processing in accordance with Article 5(1)(b) of the GDPR. It remains unclear why these categories are excluded, and this blanket exclusion is also incompatible with the unrestricted wording of the rule set out in Recital 50, second sentence, of the GDPR.
Para.: 23
Text of the Guidelines: If a controller considers that further processing for scientific research purposes could be based on Article 6(1)(f) GDPR, the significant societal interest of conducting scientific research, as also reflected by the presumed compatibility of processing for scientific research purposes, carries significant weight in the balancing test in relation to the data subjects’ interests or fundamental rights or freedoms.
Comment: On the one hand, this example suggests that a new assessment of the legal basis must also be carried out in the case of further processing that is compatible with Article 5(1)(b) of the GDPR, as otherwise the purpose of scientific research (which should only apply to the further processing) could not have been taken into account in the original assessment of the legal basis under Article 6(1)(f) of the GDPR. It remains unclear whether the phrase ‘same legal basis’ in the comments might, in some cases, refer merely to the same category of legal basis.
In summary, it is open to criticism that an assessment of compatibility in the context of further processing for scientific research purposes – as formalised in Article 6(4) and described somewhat more generally in Recital 50 is categorically ruled out in the case of further processing for scientific research purposes, whilst at the same time an assessment – not provided for in the GDPR – of the validity of a legal basis is required; even here, however, it remains unclear whether the validity of the legal basis for the collection or a separate one for the further processing is to be assessed
Para.: 24
Text of the Guidelines: If a controller further processes special categories of personal data, pursuant to Article 9(1) GDPR, for scientific research purposes, it may also rely on the presumption of compatibility of purposes, pursuant to Article 5(1)(b). Nevertheless, the controller must still assess which derogation to the prohibition to process special categories of personal data, pursuant to Article 9(2) GDPR, that applies when further processing such data for scientific research purposes38. Accordingly, if the controller intends to rely on the same derogation, pursuant to Article 9(2) GDPR, that it relied on for the initial processing operation, then the controller must assess whether that derogation is also suitable for the further processing of personal data for scientific research purposes39.
Comment: The ambiguity regarding the assessment of the significance of the legal basis for the collection of data in relation to further processing for scientific purposes is extended here to the exceptions to the prohibition on the processing of special categories of personal data under Article 9(1) of the GDPR. The exclusion of any possible assessment of the compatibility of further processing in accordance with the criteria set out in Article 6(4) of the GDPR evidently also leads to an oversight of the fact that special categories of personal data are already taken into account here in that they do not, in principle, preclude compatibility under Article 5(1)(b) of the GDPR, but do make it more difficult.
Para.: 25
Text of the Guidelines: When the controller further processes personal data concerning health, genetic or biometric data, it should also consider that there may be additional conditions or limitations imposed by MS law on the processing, pursuant to Article 9(4) of GDPR, also in cases of further processing for scientific research purposes.
Comment: This view is to be endorsed.
4. Lawfulness of processing
Para.: 37
Text of the Guidelines: If personal data is processed in the field of medical research involving patients, such as clinical trials, then the controller should consider the mental or physical condition of the patient. If a patient’s capacity to provide consent is severely affected by his or her mental or physical medical condition, then the controller should refrain from relying on consent for the processing of personal data54. Conversely, the fact that a data subject is a patient receiving health care does not in itself affect the data subject’s capacity to freely provide consent, in so far as the data subject is not severely affected by a mental or physical medical condition55.
Comment: We agree with this. We are grateful for the clarification in sentence 3.
Para.: 45
Text of the Guidelines: […] The purpose for processing can be delimited to a certain field of research, for example medical research in the field of oncology, or sociological research in the field of criminology. However, the purpose can also be delimited in view of expected outcomes of the research, for example conducting genetic research to find better medical treatment methods.
Comment: As a guide to interpretation, it is unhelpful to repeat here, using incorrect wording, the guidance already provided in Recital 33 of the GDPR. For instance, the plural phrase ‘certain areas of scientific research’ in Recital 33 of the GDPR is rendered here as the singular ‘certain field of research’.
Para.: Ex. 8
Text of the Guidelines: […] In order to meet the requirements of a comprehensive medical research infrastructure, and to include inter-disciplinary issues as well as questions of multimorbidity, the purposes covered by the given consent are not limited to any specific disease. Instead, the given consent covers a broad range of specified medical disciplines. When additional medical disciplines that are not covered by the original consent are added, data subjects are informed about this. The data subjects are also asked whether they want to consent to the processing of their personal data in research projects covered by the additional purposes. […]
Comment: We are pleased that the ‘Broad Consent’ model of the Medical Informatics Initiative in Germany – in the development and coordination of which the TMF played a central role with the data protection authorities – has evidently been incorporated as an example into the guidelines. However, the introduction of the undefined term ‘medical disciplines’ is problematic here, as it ultimately tends to cause uncertainty amongst readers. If this is indeed meant to refer to areas of medicine, it would contradict the introductory statement that consent is not limited to ‘any specific disease’. We therefore recommend deleting all references to ‘medical disciplines’.
5. Information obligations
Article 89(1), fourth sentence, of the GDPR expressly stipulates that research purposes should be pursued without identifying the individual. The Guidelines, on the other hand, focus heavily on the enforceability of data subjects’ rights. The Guidelines do not resolve the inherent conflict of objectives – which is enshrined in the GDPR – with a comprehensible justification. The specific recommendations strain the concept of necessity and, at the same time, disregard the principle of data minimisation. In the worst-case scenario, the proposed retention of identifying characteristics would result in breaches of Article 89 of the GDPR, the requirements of which – when processing for research purposes – must, in principle, be implemented quite specifically, often as a corrective measure beyond mere designation as ‘exemptions’.
The GDPR resolves this conflict of objectives regarding data subjects’ rights in Article 11, favouring data minimisation. However, this assessment is largely disregarded when the information obligations are addressed.
It is also unclear which use case the drafters had in mind. Many of the statements are far removed from the reality of university research. Particularly where research is not a one-off event but a core remit, time-consuming efforts to contact individuals on a case-by-case basis are not a viable approach. The GDPR aims to give research preferential treatment and provides for de-identification as a key safeguard. This principle is turned on its head when the guidelines define the exception as the rule.
Where research institutions, such as university hospitals, process data relating to the care of their patients for scientific research purposes, they are subject to the obligations set out in Article 13 of the GDPR. At the same time, research in this context generally takes place within a planned framework, meaning that, in principle, it is possible to provide patients with prior information within the meaning of Article 13(3) of the GDPR. In order not to significantly hinder research carried out by these institutions, it is therefore essential to reach a common understanding of the circumstances in which a data subject may be deemed to have already been informed within the meaning of Article 13(4) of the GDPR. In this respect, we recommend taking into account best practices from other areas, such as those relating to ‘broad consent’ (see Example No. 8). This includes providing comprehensive initial information about the forthcoming change of purpose and the scope of possible research purposes, as well as ongoing transparency measures which, however, also respect, for example, the right of individual patients not to be informed.
Para.: 77
Text of the Guidelines: When a controller intends to or anticipates that it will process personal data for scientific research purposes over longer periods of time, then it should give data subjects an opportunity to voluntarily provide contact details. This will make it possible for data subjects to get necessary updates on the processing of their personal data. Data subjects should get this opportunity, even if the purposes for processing personal data do not require the processing of contact details*
Comment: The collection of contact details, where these are not necessary for the purposes of the study, contravenes the principles of necessity and data minimisation under Article 5 and Article 11 of the GDPR
Para.: Ex. 14
Text of the Guidelines: A customer wants to know more about how their individual personal data are processed for the scientific research project conducted by the university and contacts the university’s DPO. Since the university cannot identify the data subject, the DPO informs the university which in turn instructs the retail analytics company to provide the necessary information to the DPO. Having received the information, the DPO informs the data subject about the processing of their personal data at the retail analytics company.
Comment: The data flow described and presented as an example runs counter to the basic rule that data subject requests should be handled where it is possible to identify the participant. Otherwise, there is a risk of the pseudonymisation being compromised. In this respect, the company should have been specified as the point of contact, in line with data-minimisation principles. Even though the data flow described is legally permissible under certain conditions within the framework of data processing on behalf of a controller, we do not consider the presentation in an example to be helpful.
Para.: 85
Text of the Guidelines: The controller must inform the data subjects in advance of the further processing operations. Provision of information within a sufficient period before the processing starts should allow the data subjects to consider the impact of the further processing of their personal data. Several factors should be taken into account to determine such period, such as the intrusiveness of the processing into the private life, its impact on the protection of personal data, the processing of special categories of data or other types of sensitive personal data, the reasonable expectations of the data subject, or the fact that data subjects are in a vulnerable position. This also allows data subjects to exercise their rights under the GDPR, not least to withdraw their consent in case the processing operations concerns a certain area of scientific research to which the data subject has given broad consent, or to object to the further processing, when applicable.
Comment: It is important to note here that such prior information to data subjects by organisations whose purpose also includes the secondary use of data for research purposes – such as university hospitals – is already possible at the time of collecting the primary data and, in combination with further transparency measures, is also sufficient.
Para.: 86
Text of the Guidelines: It may be challenging for controllers to inform data subjects of further processing for scientific research purposes if they have not retained the contact details of the data subjects, for example due to pseudonymisation of the personal data where identifiers or a table of correspondence are not accessible for the controller. To that end, if the controller knows at the time of collection (or when contact details are deleted because they are not necessary to process) that the personal data will be processed for scientific purposes at a later stage, then the controller should make sure that data subjects can stay informed, in accordance with Articles 12 and 13 GDPR.
Comment: In principle, we welcome the view that data controllers can provide sufficient information at the time the data is collected, without necessarily having to contact the data subjects with further information at a later date. However, we do not understand why this method of providing information – if it is indeed considered sufficient in principle – must be restricted to the specific scenario mentioned here, in which the data controller no longer has the data subjects’ contact details at a later stage.
Para.: 87
Text of the Guidelines: Controllers should not knowingly delete contact details if they intend to or anticipate that they will further process personal data for scientific research purposes. If a controller knowingly deletes contact details and then fails to inform data subjects directly when further processing personal data for scientific research purposes, this may lead to a breach of the principle of transparency, pursuant to Article 5(1)(a) GDPR, as well as Article 13(3).
Comment: This would mean that contact details would never be deleted. As a rule, the possibility of future research cannot be entirely ruled out, as new findings from research could necessitate the further processing of study data. Furthermore, this requirement runs counter to the measures set out in Article 89 of the GDPR: according to this, data must be anonymised as soon as the purpose permits.
We therefore recommend deleting this paragraph.
Para.: 88
Text of the Guidelines: If the controller at the time of collection of the personal data did not know or anticipate that it would process personal data for scientific research purposes at a later stage, it may not have contact details of the data subjects. If the controller has identifiers, such as a name or administrative identification number, it should make reasonable efforts to acquire contact details if they are readily available and acquisition would not require a disproportionate effort.
Comment: The obligation to first use existing identifiers to ascertain current contact details increases the risks to the rights and freedoms of data subjects. This makes the processing of their identifying data necessary in the first place, as this data may need to be retrieved from population registers. Consequently, the circle of recipients is also expanded, even though this is not necessary for the actual research purpose. This is diametrically opposed to the principle set out in Article 11(1) of the GDPR, which states that ‘the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation’.
We recommend deleting this paragraph.
Para.: 89
Text of the Guidelines: If public registries or other viable means are not available, if their use would require a disproportionate effort, or if a data subject is not listed in any of the available sources, then the controller should inform data subjects indirectly. The provision of such information should ensure that as many data subjects concerned as possible are reached. Relevant means to make the information publicly available, which need to be adjusted depending on the context of the research project and the data subjects involved, include:
- Providing information on a website, as detailed above;
- Posting information in localities where the relevant data subjects are present regularly (e.g. schools, universities, correctional facilities, medical care facilities, pharmacies, etc);
- Advertising in public spaces, on the television or radio, in newspapers – in particular local media or online; and
- Providing information through associations representing research subjects (e.g. patient organisations, trade unions, non-profit organisations etc).
Comment: In fact, Article 13 of the GDPR does not contain any exceptions for controllers who have collected the data being further processed themselves, such as Article 14(5) of the GDPR, which allows for adjustments to the manner of providing information depending on the difficulties involved in doing so. In this respect, we tend to assume that, in certain cases of data-minimisation, the obligation to comply with Article 13 pursuant to Article 11(1) of the GDPR is entirely waived.
Para.: 100
Text of the Guidelines: If a controller can demonstrate that it would require a disproportionate effort to inform the data subjects individually, it is exempt from doing so, pursuant to Article 14(5)(b) GDPR. In the field of scientific research, the following situations may in particular be associated with a disproportionate effort:
- A high number of data subjects to inform, for example large registries with patient data, population data or data on pupils accumulated nation-wide, while many contact details are outdated due to the age of the dataset. This exemption cannot be relied on if the controller can lawfully obtain a high number of contact details easily, for example through the use public registers149;
- Difficulties of finding the contact details of the data subject, for example if the contact details were collected a long time ago and might no longer be accurate and there are no reasonable means available to the controller to obtain current contact details; or
- The age of the personal data, e.g. if the data set is older than 10 years.
Comment: Re point 1: The costs and effort involved in the actual register enquiry and in sending letters, plus staff costs, are disproportionate, particularly given the large number of data subjects concerned. In particular, the effort involved does not take into account the need to deal with the responses from the individuals contacted. It must be borne in mind that the number of data subjects in research is often in the four- or five-figure range and can, in some cases, even reach six figures. It is precisely the associated financial hurdles that jeopardise the research objective.
Furthermore, this assumes that additional information about the data subjects is actively collected by the controller, who has not collected the data from the data subjects themselves and, as such, often does not have the data subjects’ identification details in the research context. In this respect, the interpretation of Article 11(1) of the GDPR is effectively reversed here, and the reference in Article 14(5)(b) to Article 89(1) of the GDPR – which stipulates the need for data minimisation – is completely ignored. In this regard, there is no sign of the privileged treatment accorded to research.
Re point 3: We recommend the following amendment: ‘… the data set is 5 years old or older’.
In principle, all three points have included the age of the data set as a criterion. The age should only be retained as a criterion in the final point.
Para.: 103
Text of the Guidelines :It should be noted that processing of personal [data] for scientific research without individually informing the data subjects should only occur where it is strictly necessary, as it constitutes a serious interference with the fundamental rights and freedoms of data subjects. Accordingly, when controllers conduct covert research, they should adopt appropriate safeguards, pursuant to Article 89(1) GDPR, to counter-act that interference.
Comment: For the sake of clarity, it should be pointed out here that this statement applies only to cases where it is, in principle, possible to provide information and where no additional data needs to be collected or processed for this purpose. Otherwise, it would be confusing to refer to Article 89(1) of the GDPR and the safeguards without mentioning Article 89(1), sentences 3 and 4, which require de-identification and even call for anonymisation.
Para.: 107
Text of the Guidelines: If a controller makes changes to its processing operations that renders the information previously provided to data subjects obsolete or incomplete, then it must inform the data subjects about those changes, pursuant to Article 13(4) and 14(5)(a) GDPR.
Comment: This section contains no reference to specific legal obligations. It falls outside the scope of cases involving further processing for a different purpose (sections 5.3 and 5.4 of the Guidelines), and the wording does not correspond to Articles 13(3) and 14(4) of the GDPR. The reference to an older guideline suggests that all of this is derived from the obligation of transparency; however, in that context, it relates only to the authorisation provision. Here, the wording is unrestricted, which would mean that Articles 13 and 14 of the GDPR are ongoing obligations.
The reference to Articles 13(4) and 14(5)(a) of the GDPR does not help to clarify the context, because – contrary to what the location might suggest – these provisions specifically govern the exemption from further information requirements.
We recommend deleting this paragraph.
Para.: 108
Text of the Guidelines: In the field of scientific research, changes to the processing of personal data that would require additional information include:
- Making substantial changes to the objectives of a research project, leading to a change of the purposes of processing of personal data;
- Determining that the personal data will be processed on the basis of a different legal basis than the initial one160;
- Changes to the identity of the controller – for example if a research laboratory merges with another laboratory, forming a new entity;
- Engaging with new research partners that are not reasonably expected by a data subject and that will receive personal data, in particular if research partners outside the EEA are engaged resulting in transfer to third countries, or international organisations161;
- Extending the period of processing personal data, including storage, depending on how substantial the change is and what information on the period of retention that has been communicated to the data subject;
- Changes to the risk profile for the processing of personal data, for example because of changes to the scientific methods or the use of novel or untested technology;
- Adding categories of personal data to the data set used in a research project, that have not been communicated to the data subject previously; and
- Changes to the interface for data subjects to be able to exercise their rights, such as introducing a dedicated platform for the purpose162.
Comment: We refer to our commentary on recital 107 and recommend that this paragraph be deleted.
* Bold text has been added by us for clarity and does not appear in the original.
6. Betroffenenrechte
Rn.: 120
Text of the Guidelines: Article 17(3)(d) GDPR provides for a specific exception from the right to erasure if the processing is necessary for scientific research purposes, in accordance with Article 89(1) GDPR. In addition to assessing the strict necessity of processing of personal data in relation to the scientific research purpose, the controller must also assess the individual circumstances in each request of a data subject when applying Article 17(1)(d) GDPR. To that end, Article 17(3)(d) GDPR should only be applied in limited circumstances, as it is only when erasure is likely to render impossible or seriously impair the achievement of the scientific research purposes that it is possible for a controller to reject a request for erasure175. For example, if a controller processes personal data from a large number of data subjects, requests of data subjects for erasure of their personal data may not make it impossible or seriously impair the achievement of the scientific research purposes. However, if a controller uses personal data from a small number of data subjects, where the personal data of each data subject is of significant importance for the outcome of a research project, then it is more likely that the controller is justified in relying on Article 17(3)(d) of the GDPR and reject a request for erasure. A request for erasure of personal data may also make it impossible or seriously impair the achievement of the scientific research purposes if the controller researches developments or trends over a longer period of time and the request is received while the research is still in progress.
Comment: The point that, in cases involving small sample sizes, erasure could jeopardise a research project to such an extent that the exception under Article 17(3)(d) of the GDPR might apply here is welcomed.
It would be desirable to take into account another scenario that is likely to be relevant much more frequently. In accordance with good scientific practice, data from research projects carried out and published must be retained unchanged for 10 years in order to ensure the traceability of such projects. The likelihood of a withdrawal of consent or an objection reaching the controller over such a long period is typically higher than in other phases of a research project. However, deleting a single data record from a dataset archived in this way inevitably means that the purpose of traceability can no longer be achieved with that particular dataset. In this respect, it can also be assumed that the entire research project is at risk. Therefore, this case should be explicitly included here.
For the sake of completeness, it would be desirable to clarify that the legal basis for further processing following the application of Article 17(3)(d) of the GDPR is the original legal basis.
7. Attribution of responsibility
Para.: 143
Text of the Guidelines: If several parties carrying out the research are joint controllers, they can generally rely on the same legal basis. However, the GDPR does not preclude that different joint controllers rely on different legal bases, depending on their applicability to a given processing operation216.
Comment: The clarification that joint controllers do not necessarily require separate legal bases is welcomed.
8. Technical and organisational safeguards
Para.: 161
Text of the Guidelines: To ensure the proper effectiveness of anonymisation or pseudonymisation, controllers must use state-of-the-art anonymisation or pseudonymisation methods, taking into account the most current assessment of effectiveness, risks of re-identification, threats to security, etc. The EDPB’s guidelines on pseudonymisation provide further guidance on how to assess effectiveness239. […]
Comment: Reference is made here to the EDPB’s draft guidelines on pseudonymisation. The TMF had commented critically on this draft, and we once again ask that these comments be given careful consideration.1
9. Bibliography
1. Simitis, S., Hornung, G., Spiecker gen. Döhmann, I., Hrsg. Datenschutzrecht. DS-GVO/BDSG. 2. Aufl. 2025, Nomos, Baden-Baden.
10. List of abbreviations
BDSG – Bundesdatenschutzgesetz; Federal Data Protection Act
DPO – Data Protection Officer
DS – Data protection
DS-GVO – see GDPR
GDPR – Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC – General Data Protection Regulation (Regulation 2016/679)
EDPB – European Data Protection Board (https://edpb.europa.eu)
EDPS – European Data Protection Supervisor (www.edps.europa.eu)
EEA – European Economic Area
EC – European Community
e.g. – Example
MS – Member State
para. – paragraph
TMF – TMF – Technology, Methods, and Infrastructure for Networked Medical Research (www.tmf-ev.de)