[General Data Protection Regulation and medical research: friend or foe?]

As of May 2018, the use of personal data in medical research is regulated under the General Data Protection Regulation (GDPR). While, as before, in principle patients' consent for the use of their personal data is still required, exemptions for medical research still exist. When all of the criteria for the exemptions are met, and the other requirements of the GDPR are adhered to, personal data can be used in medical research without consent. In this paper we present a brief outline of a number of GDPR-related requirements for use of personal data in medical research. Furthermore, we discuss how GDPR interlinks with the Medical Research Involving Human Subjects Act (WMO) and in which areas GDPR remains subject to interpretation. Medical researchers using personal data need to be aware when consent is required and on which grounds personal data can be used without consent in the Netherlands.