Summary

The EDPB Guidelines 02/2026 redefine anonymisation standards for clinical trial data, emphasizing rigorous assessments against re-identification risks. These guidelines mandate a three-criteria test and the continuous evaluation of anonymisation techniques, directly impacting compliance for life sciences organisations involved in data processing and AI applications in clinical trials.

Contact us

What Are the EDPB Guidelines 02/2026 and Why Do They Matter for Clinical Trials?

The EDPB Guidelines 02/2026 on anonymisation are a  interpretive instrument adopted by the European Data Protection Board on 8 July 2026 that defines the conditions under which a dataset ceases to constitute personal data within the meaning of Article 4(1) GDPR. They matter for clinical trials because trial datasets routinely combine rare diagnosis codes, genomic sequences, site visit schedules and adverse-event narratives, each of which can individually or collectively allow re-identification of a participant even after standard de-identification procedures have been applied.

Before the guidelines, organisations relied primarily on Recital 26 GDPR and the 2014 Article 29 Working Party Opinion on anonymisation techniques. Neither instrument addressed the specific re-identification risks that arise when clinical trial data is reused for artificial intelligence (AI) training, federated learning or real-world evidence generation. Guidelines 02/2026 fill that gap by:

  • Introducing a controller-perspective assessment, requiring the sponsor or CRO to evaluate re-identification risk using the means reasonably available to any actor likely to receive the data, not merely the controller itself.
  • Mandating entity mapping as a preliminary step, so that all direct and indirect identifiers present in the dataset are catalogued before any anonymisation technique is applied.
  • Recommending aggregation or synthetic data generation where individual-level anonymisation is technically infeasible, for example in small-cohort rare-disease studies.
  • Requiring ongoing reassessment as re-identification science evolves, creating a living obligation rather than a one-time compliance checkpoint.

The guidelines also intersect with the EU Clinical Trials Regulation 536/2014 (EU CTR), which governs the processing of clinical trial data across EU Member States, and with the requirements of ICH E6(R3) Good Clinical Practice, which demands that participant privacy be protected throughout the trial lifecycle.

What Is the Three-Criteria Anonymisation Test and How Does It Apply to Trial Datasets?

The three-criteria anonymisation test, as defined in EDPB Guidelines 02/2026, is a cumulative assessment that requires a dataset to satisfy three conditions simultaneously: No Record Isolation (it must be impossible to single out an individual record), No Linkage (it must be impossible to link records relating to the same individual across datasets) and No Inference (it must be impossible to deduce new information about an individual from the remaining data). A dataset that fails any one criterion remains personal data subject to GDPR in full.

How the Test Works in Practice for Clinical Datasets

The guidelines offer two methodological pathways. The contextual approach is recommended for high-risk datasets: the controller analyses each identifier category in context, considering the realistic population of recipients, the auxiliary datasets that are publicly or commercially available, and the computational power accessible to a motivated adversary. The simplified approach is available for lower-risk datasets and relies on a set of proxy indicators such as cohort size, variable granularity and publication format to produce a rapid but documented adequacy determination.

For clinical trial datasets, the contextual approach will almost always be required because:

  • Patient populations in Phase II/III oncology or rare-disease trials are numerically small, making record isolation straightforward even after age-banding and regional aggregation.
  • Linkage risk is heightened by the availability of patient registries, biobank records and electronic health record (EHR) systems that share overlapping variable sets with trial case report forms (CRFs).
  • Inference risk is amplified when adverse-event profiles, biomarker trajectories or genomic data are retained in even partially processed form, because machine-learning models trained on public datasets can reconstruct individual-level predictions.

The guidelines explicitly note that clinical trial datasets reused for AI training represent a category of elevated inference risk and recommend that sponsors obtain a specific anonymisation opinion from their Data Protection Officer (DPO), defined under Article 37 GDPR as the designated expert responsible for advising on and monitoring data protection compliance within an organisation.

What Enforcement Lessons Do the SRB Case and the CNIL Fine on IQVIA Provide?

The SRB case and the CNIL fine on IQVIA, both cited as foundational precedents in EDPB Guidelines 02/2026, demonstrate that regulators will pierce claimed anonymisation where the controller has not conducted a rigorous, documented re-identification risk assessment. In the SRB case, the Court of Justice of the European Union held that data is not anonymous simply because the controller itself cannot re-identify it; the realistic ability of any third party, including data recipients and the general public, must be considered. In the IQVIA matter, the CNIL found that health and prescription data aggregated for commercial analytics purposes retained sufficient identifiability to constitute personal data, resulting in a significant financial penalty.

Focus: The Example of France and the CNIL Fine on IQVIA

The Commission Nationale de l'Informatique et des Libertés (CNIL), France's national data protection authority, fined IQVIA on the ground that pharmaceutical prescription data, even when processed at an aggregated level, could be re-identified by combining it with auxiliary commercial datasets. The CNIL applied the same controller-perspective test that Guidelines 02/2026 now codify. For life sciences companies operating in France, this decision reinforces the obligation under MR-001 (Méthodologie de Référence 001, the CNIL's reference framework for interventional clinical research) to demonstrate, not merely assert, that data shared with analytics providers has been rendered genuinely anonymous. Sponsors who rely on contractual language alone, without a documented technical assessment, risk replicating the IQVIA exposure.

Focus: The Example of the European Union and the SRB Precedent

The Single Resolution Board (SRB) case, decided by the Court of Justice of the European Union, established that an institution cannot exempt itself from GDPR obligations by unilaterally classifying data as anonymous. The court required an objective assessment of whether any recipient, not only the controller, possesses means reasonably likely to be used for re-identification. Guidelines 02/2026 translate this principle into operational guidance by requiring entity mapping and third-party risk modelling as standard components of every anonymisation determination. For clinical trial sponsors, this means that transferring a purportedly anonymous dataset to a CRO, an AI vendor or a regulatory agency without completing entity mapping first creates direct enforcement exposure under Articles 5, 24 and 83 GDPR.

Focus: The Example of Germany and DPA Enforcement Posture

The German data protection landscape is characterised by 16 state-level authorities (Landesdatenschutzbehörden) operating alongside the Federal Commissioner for Data Protection and Freedom of Information (BfDI). German supervisory practice has historically applied a strict standard to health data anonymisation, consistent with the position now codified in Guidelines 02/2026. For multinational sponsors with German clinical sites, this means that anonymisation assessments prepared under the contextual approach must account for the Bürgerliches Gesetzbuch (BGB) civil-law framework governing medical records, which may impose retention periods that extend the window during which re-identification is possible and therefore elevate residual risk scores.

Focus: The Example of the Netherlands and Scientific Research Exemptions

The Autoriteit Persoonsgegevens (AP), the Dutch supervisory authority, has published guidance clarifying that the scientific research exemption under Article 89 GDPR does not remove the obligation to anonymise data at the point of secondary use. Sponsors planning to transfer clinical trial datasets to Dutch academic centres for AI model training must complete a Data Protection Impact Assessment (DPIA), defined under Article 35 GDPR as a systematic prior assessment of processing likely to result in high risk to natural persons, and document whether the three-criteria test was met before the transfer occurs.

What Is a Practical Compliance Framework for Life Sciences Organisations?

A practical compliance framework for life sciences organisations responding to EDPB Guidelines 02/2026 must integrate anonymisation governance into existing trial infrastructure, including the trial master file (TMF), the DPIA process and contractual arrangements with data processors. The guidelines do not create standalone obligations; they sit within the existing architecture of GDPR Articles 5, 24, 25, 28, 30 and 35, and they interact with sector-specific requirements under EU CTR 536/2014 and EMA guidance on clinical data publication.

Step 1: Entity Mapping

Entity mapping is the systematic identification of every variable in a dataset that could, alone or in combination, distinguish an individual, link records across sources, or support an inference about characteristics not directly observed. For a typical Phase III CRF, entity mapping should cover: patient identifiers (subject number, initials, date of birth range), clinical variables (diagnosis code at ICD-10 or ICD-11 level, biomarker values, genomic data), administrative metadata (site country, visit dates, randomisation arm) and any free-text fields containing narrative adverse-event descriptions. EDPB Guidelines 02/2026 treat the absence of documented entity mapping as a process failure indicating that the anonymisation claim is unsubstantiated.

Step 2: Technique Selection and Documentation

Common anonymisation techniques applicable to clinical data include generalisation (replacing exact ages with bands), suppression (removing rare-event records), noise addition, data swapping and k-anonymity modelling. Guidelines 02/2026 do not mandate a single technique but require that the chosen method demonstrably satisfies all three criteria of the anonymisation test for the specific dataset in question. The selection rationale and the test outcome must be recorded in a document retained for the period of the trial and any subsequent regulatory inspection window, consistent with TMF retention obligations under EU CTR 536/2014 Article 58.

Step 3: AI Reuse Governance

Where clinical trial data is intended for AI model training, sponsors must assess whether the trained model could itself leak individual-level information through membership inference attacks, a technique by which an adversary determines whether a specific record was present in the training set. Guidelines 02/2026 recommend that sponsors either apply differential privacy mechanisms to the training process or document why such mechanisms are unnecessary given the dataset characteristics. Contractual arrangements with AI vendors must include data processing agreements (DPAs) under Article 28 GDPR specifying that the vendor will not attempt re-identification and will report any re-identification event as a personal data breach under Article 33 GDPR.

Anonymisation versus Pseudonymisation versus Synthetic Data: A Comparison

Anonymisation, pseudonymisation, and synthetic data sit at different points on the GDPR risk spectrum, and clinical trial teams often use the terms loosely when they shouldn't. Anonymisation means irreversibly removing every means of identifying an individual, satisfying the three criteria test set out in EDPB Guidelines 02/2026; once genuinely anonymised, data falls outside GDPR's scope entirely under Recital 26, which is why it forms the basis for publishing aggregate efficacy tables or population level summaries in regulatory submissions, provided the residual re-identification risk is documented as negligible. Pseudonymisation, by contrast, is defined in Article 4(5) GDPR as replacing direct identifiers with a code or alias while keeping the key separately; because that key can, in principle, be used to re-link the data to a real person, pseudonymised data remains personal data and GDPR continues to apply in full. This is the everyday reality of trial conduct, where subject numbers stand in for names on CRFs, and the re-identification risk is moderate to high since it depends entirely on who can access the key. Synthetic data is different again: it is a statistically representative artificial dataset generated from the original data, preserving distributional properties without retaining any real records. It falls outside GDPR scope if the generation process is properly validated, but back inside scope if there is still a possible linkage to the originals, and even well validated synthetic datasets are not automatically risk free, since poorly generated ones can be vulnerable to membership inference attacks. This makes synthetic data useful for AI model pre training, pilot analytics, and sharing with academic partners, but not a guaranteed anonymisation shortcut.The EDPB Guidelines 02/2026 raise the bar for data privacy clinical trials compliance across every stage of the research lifecycle, from first-in-human studies through to post-marketing real-world evidence programmes. iliomad's clinical trials data protection practice combines regulatory expertise with hands-on trial experience to help sponsors, CROs and AI developers complete entity mapping, pass the three-criteria test and document their outcomes to a standard that withstands supervisory scrutiny.

Speak to an iliomad clinical trials data protection specialist today and receive a gap assessment against EDPB Guidelines 02/2026.

Contact us

FAQs

Our frequently questions

Does EDPB Guidelines 02/2026 apply to clinical trial data collected before 8 July 2026?

Yes. The guidelines are interpretive instruments that clarify the existing meaning of GDPR Articles 4(1) and Recital 26, not new legislation. They therefore apply to all ongoing and historical processing activities that remain within a controller's active operations, including datasets held in long-term archives for regulatory inspection purposes under EU CTR 536/2014.

Is a DPIA mandatory every time a sponsor claims a clinical trial dataset is anonymous?

Not automatically, but EDPB Guidelines 02/2026 recommend that where anonymisation is intended to remove data from GDPR scope for a high-risk purpose such as AI training, a DPIA should be completed before the anonymisation determination is finalised. If the DPIA reveals that the three-criteria test cannot be met, the controller must apply an alternative protective measure rather than proceed on the basis of an unsubstantiated anonymisation claim.

Can a CRO acting as a data processor carry out the anonymisation assessment on behalf of the sponsor?

A CRO (Contract Research Organisation, a company engaged by a clinical trial sponsor to manage some or all trial functions) may perform the technical anonymisation work as a data processor under Article 28 GDPR, but the legal responsibility for the adequacy of the anonymisation determination rests with the sponsor as data controller under Article 24 GDPR. The sponsor must review and approve the CRO's entity mapping and test documentation.

What happens if re-identification becomes possible after anonymisation was declared?

Guidelines 02/2026 introduce an ongoing reassessment obligation. If new re-identification techniques or auxiliary datasets emerge that would have changed the three-criteria test outcome, the controller must re-evaluate whether the data has reverted to personal data status, apply protective measures and, if a data breach has occurred within the meaning of Article 4(12) GDPR, notify the competent supervisory authority within 72 hours under Article 33 GDPR.

Does the CNIL's MR-001 framework still apply if a dataset has been declared anonymous under Guidelines 02/2026?

The Méthodologie de Référence MR-001 applies to the processing of personal data in interventional clinical research. If a dataset genuinely satisfies the three-criteria test and is no longer personal data, MR-001 ceases to apply to that specific dataset. However, the process of reaching the anonymisation determination — including the entity mapping and testing phase — itself constitutes processing of personal data and therefore remains subject to MR-001 and GDPR obligations until the moment the determination is finalised and the original personal data is destroyed or no longer accessible.

What is the three-criteria anonymisation test introduced by EDPB Guidelines 02/2026?

The three-criteria anonymisation test is a cumulative assessment requiring a dataset to simultaneously satisfy three conditions: No Record Isolation (it must be impossible to single out an individual record), No Linkage (it must be impossible to link records relating to the same individual across datasets), and No Inference (it must be impossible to deduce new information about an individual from the remaining data). A dataset that fails any one of these criteria remains personal data and is subject to GDPR in full. For clinical trial datasets, the more rigorous contextual approach is almost always required due to small patient populations, linkage risks from patient registries and EHR systems, and elevated inference risks from genomic or biomarker data.

Seamus Larroque

CDPO / CPIM / ISO 27005 Certified

Find out how iliomad can help your company.

[Map placeholder]
Only visible in production
38.709099
-39.182035
1.6
6d17042a3425c5b3
Your message has been received!
We'll get back to you as soon as possible.
Something went wrong, please try again.
Home

Discover our latest articles

View All Blog Posts
Abstract digital network connecting a hospital, a regulatory building and a courtroom, representing AI governance, health data privacy and transatlantic data transfer risks in 2026
July 8, 2026
Healthtech
Regulations & Guidelines
DPIA
Regulation
LLMS

AI Triage, Biopharma Workbenches and Crumbling Data Bridges: iliomad Weekly Digest

NHS AI triage, Anthropic Claude Science, medical AI privacy risks, MHRA GxP guidance, EDPS ADM checklist and the EU-US data transfer threat explained.

A clinical data reviewer examining an automated decision output on a screen, representing human oversight in GDPR clinical trials under the EDPS ADM checklist framework
July 6, 2026
GDPR
Regulation
Clinical Trials
US Privacy Law
EU Privacy Law

Human Intervention in Automated Decision-Making: What the EDPS Checklist Means for Life Sciences

The EDPS checklist on human intervention in automated decision-making carries direct implications for GDPR clinical trials. Learn what effective oversight requires.

A clinical trial investigator reviewing an informed consent form with a data protection checklist highlighting the ethnicity data justification section
July 3, 2026
ICF
GDPR
Clinical Trials
Ethics Committee
Combination Products

Informed Consent Form (ICF) and Ethnicity Data: Justification Requirements Under GDPR and MR-001

Ethics committees require scientific justification for ethnicity data in the ICF. Learn how GDPR Article 9, MR-001 and EU CTR 536/2014 apply to your clinical trial.