Biobanks and GDPR: Lawful Bases, Consent Models, and Research Safeguards

PostedJuly 12, 2024

ByIuliia Gorshkova

Biobanks sit at a complex intersection of biomedical research, public health objectives, and fundamental rights. They collect, store, and process human biological material and associated data, often for long-term and indeterminate research purposes. In Europe, the General Data Protection Regulation (GDPR) is the cornerstone legal framework governing these activities, but it does not operate in a vacuum. It interacts with national laws, sector-specific regulations on human tissue, and ethical governance standards. For professionals designing or operating biobanks, the central challenge is to translate GDPR’s abstract principles into a workable, defensible, and participant-centric operational model. This requires a precise understanding of lawful bases, the nuanced role of consent, the practical application of safeguards like pseudonymisation, and the design of robust governance for data access, all while respecting the evolving rights of data subjects.

The GDPR’s Footprint in the Biobank Ecosystem

The GDPR applies to the processing of personal data, which in a biobank context includes not only the direct identifiers (name, social security number) but also the biological material itself when it can be linked, even indirectly, to an identifiable individual. This is particularly relevant for genomic data, where the combination of genetic markers and other data points can lead to re-identification. The regulation’s principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and accountability must be embedded in the biobank’s lifecycle management—from donor recruitment and sample collection to long-term storage, data analysis, and eventual destruction or anonymisation.

It is crucial to distinguish between the GDPR’s scope and the national frameworks governing human tissue and cells. For instance, the EU’s Advanced Therapy Medicinal Products (ATMP) Regulation and national tissue acts (such as Germany’s Gewebegesetz or France’s Loi de bioéthique) regulate the quality and safety of samples and the permissibility of their use. A biobank must therefore achieve dual compliance: it must satisfy GDPR requirements for data protection and the national legal basis for the handling of human biological material. The legal basis for processing under GDPR is separate from the consent obtained for the physical collection and use of the tissue under national law. This dual-track compliance is a foundational concept that many institutions underestimate, leading to governance gaps.

Identifying the Controller and Processor Roles

In most biobank models, the institution hosting the biobank (e.g., a university hospital, a research institute, or a dedicated biobank foundation) acts as the controller. It determines the purposes and means of processing—such as what data is collected, how it is stored, and under what conditions it is shared. Researchers who receive samples or data for specific projects are typically processors (acting under the controller’s instructions) or, if they determine their own research aims and methods, joint controllers with the biobank. The distinction is not merely academic; it dictates liability, the content of data processing agreements, and the allocation of responsibilities for fulfilling data subject rights. In federated biobank networks, where data is shared across borders, the controller/processor map becomes complex and must be clearly documented in the records of processing activities.

Lawful Bases for Processing: Beyond Consent

GDPR Article 6 provides six lawful bases for processing personal data. For biobanks, the most relevant are consent, public interest (Article 6(1)(e)), and legitimate interests (Article 6(1)(f)). The choice of basis is not discretionary; it must reflect the reality of the processing and be supported by a rigorous assessment.

Consent (Article 6(1)(a))

Consent is often the first port of call, especially for new biobanks or those collecting samples for a specific research project. Under GDPR, consent must be freely given, specific, informed, and unambiguous. This presents immediate challenges for biobanks:

Specificity: Broad, open-ended consent for “future research” is difficult to reconcile with the requirement for specific purpose definition. The EDPB has acknowledged that granular consent for each future research project is impractical, but this requires a careful balancing act and robust governance.
Freely Given: In a patient-researcher relationship, there is an inherent power imbalance. If a patient feels they cannot refuse consent without jeopardising their clinical care, the consent is not freely given and is invalid.
Withdrawal: Consent can be withdrawn at any time. This creates a significant operational burden for biobanks, which must be able to locate and delete or destroy a participant’s data and samples upon withdrawal, unless another lawful basis applies.

Because of these challenges, many established biobanks in Europe have moved away from relying solely on consent as the legal basis for long-term storage and secondary research.

Public Interest and Task in the Public Interest (Article 6(1)(e))

Many EU Member States have designated biobank research as a task in the public interest. This is a powerful basis because it is not subject to withdrawal by the data subject. For example, national legislation in countries like Finland, Estonia, and Sweden explicitly frames biobank activities as serving public health and scientific research, providing a legal basis for processing that includes long-term storage and broad secondary use. In such systems, participants are typically given an opt-out possibility rather than an opt-in consent. This model shifts the focus from individual consent to the societal value of the research, underpinned by strong governance and ethical oversight. However, the specific national laws that enable this must be carefully reviewed to ensure they meet the GDPR’s stringent requirements for a legislative basis.

Legitimate Interests (Article 6(1)(f))

This basis is less common for core biobank operations but can be relevant for certain administrative or security-related processing. It requires a balancing test: the biobank’s interest in conducting research must be balanced against the rights and interests of the data subject. Given the sensitivity of health and genetic data, this balancing test often weighs heavily in favour of the individual, making legitimate interests a risky basis for primary research processing unless supplemented by specific national provisions.

Special Category Data: The Article 9 Hurdle

Processing health data, genetic data, and biometric data falls under Special Category Data (Article 9), which is prohibited unless a specific condition in Article 9 applies. For biobanks, the most relevant conditions are:

Explicit Consent (Art. 9(2)(a)): This is a higher standard than the regular consent under Article 6. It must be explicit and clearly relate to the processing of the special category data.
Scientific Research (Art. 9(2)(j)): This is the cornerstone for many biobanks. It allows processing if it is subject to suitable safeguards and is enshrined in Union or Member State law which provides for suitable safeguards. This is where the interplay with national research frameworks is critical.
Public Health (Art. 9(2)(i)): Can be used for processing necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.

Crucially, Article 89 of the GDPR provides further safeguards for processing for scientific research purposes. It states that processing for archiving, scientific or historical research or statistical purposes shall not be considered incompatible with the original purposes if appropriate safeguards are in place. These safeguards include pseudonymisation and, where possible, anonymisation. This provision is the legal bridge that allows biobanks to use data for future, yet undefined, research projects, provided the governance is robust.

Consent Models in Practice: A Spectrum of Approaches

Given the limitations of consent as a standalone legal basis, biobanks employ a variety of consent models. The choice reflects a trade-off between participant autonomy, operational feasibility, and legal certainty.

Broad or Dynamic Consent

Dynamic consent is an interactive model where participants are engaged over time. They can update their preferences, receive information about new research projects, and decide on a project-by-project basis whether to allow their data to be used. This model enhances transparency and respects autonomy but requires sophisticated IT infrastructure and dedicated staff resources to manage participant communication and preferences. It is often seen as the gold standard from an ethical perspective but is challenging to implement at scale.

Opt-out Models under National Law

As mentioned, in countries with a strong legislative framework for biobanks, an opt-out model is common. The law provides the legal basis for processing (public interest), and the biobank informs individuals that their samples/data will be used unless they actively object. This model is highly efficient and supports large-scale, long-term research. However, it is entirely dependent on the existence of a specific national law that is GDPR-compliant. A biobank cannot simply decide to implement an opt-out model on its own; it must be anchored in national legislation.

Consent for Future Research vs. Specific Project Consent

Specific consent for a single project is the simplest from a legal perspective but is fundamentally at odds with the nature of biobanking, which is predicated on the long-term value of the collection for as-yet-unforeseen research. The GDPR, through Article 89, and the EDPB guidelines, support the use of broad consent for scientific research, provided that:

The scope of the research is defined in a general way (e.g., “research into cardiovascular disease”).
The consent is not overly broad or vague.
A robust governance framework is in place to review and approve future research uses.
Participants are given meaningful information about how their data is used.

In practice, a hybrid model is often adopted: a general consent for inclusion in the biobank and for future research within a defined domain, combined with a dynamic consent or notification system for specific high-impact or ethically sensitive projects.

Key Interpretation: The EDPB has clarified that consent for scientific research is not a “one-off” event. It must be an ongoing process, and the information provided to participants must be updated as the research evolves. The concept of “granularity” in consent is less about specific projects and more about providing meaningful choices where possible, especially when the risks to the data subject change.

Safeguards: The Operational Backbone of Compliance

GDPR Article 89 mandates appropriate safeguards for research processing. These are not optional extras; they are the core operational measures that make research processing lawful. The two most critical safeguards are pseudonymisation and data minimisation.

Pseudonymisation in the Biobank Context

Pseudonymisation is the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information. This additional information (the “key”) must be kept separately and be subject to strict technical and organisational measures.

For a biobank, this typically means:

Separation of Identifiers: A sample is assigned a unique ID. The link between this ID and the person’s name, address, or social security number is stored in a separate, highly secure “identity database” (the key).
Research Data: The biological material and the data derived from it (e.g., genetic sequences, clinical data) are stored and processed using only the unique ID. Researchers working with the data do not have access to the identity database.
Access Control: Access to the identity database is strictly limited to a very small number of authorised personnel for specific, defined purposes (e.g., contacting a participant for follow-up based on a clinically significant finding, or processing a withdrawal request).

Pseudonymisation reduces the risk to individuals and can be a key factor in demonstrating compliance with the data minimisation principle. However, it is not anonymisation. The data remains personal data because re-identification is possible with the key. Therefore, all GDPR obligations continue to apply to pseudonymised data.

Anonymisation and the “Control” Test

Anonymisation is the process of rendering data permanently irreversible, such that the data subject can no longer be identified. Once data is truly anonymised, it falls outside the scope of the GDPR. For biobanks, this is often the end-goal for data that is to be shared widely or used for commercial purposes. However, achieving true anonymisation is technically difficult, especially with genomic data. The bar is high: the assessment must consider the “reasonable likelihood” of re-identification, considering the means reasonably likely to be used by the controller or a third party. Simply removing direct identifiers is not enough. Techniques like k-anonymity, l-diversity, and differential privacy are often explored, but their application must be carefully validated.

Privacy by Design and Data Protection Impact Assessments (DPIAs)

Given the high risks associated with large-scale processing of genetic and health data, conducting a DPIA is almost always mandatory for a biobank. The DPIA is a systematic process to describe the processing, assess its necessity and proportionality, and identify and mitigate risks to the rights and freedoms of individuals. It is a living document that should be updated whenever there are significant changes to the processing (e.g., a new data-sharing partner, a new type of analysis). The DPIA is also the primary tool for demonstrating accountability. It documents the decision-making process, including the choice of lawful basis, the safeguards implemented, and the consultation with the Data Protection Authority (DPA) where high risks remain.

Access Governance and Data Sharing

A biobank’s value is realised through data sharing. However, this is also where many of the most complex GDPR challenges arise. A robust governance framework is essential to manage access requests and ensure that data is used in a manner consistent with the original legal basis and participant expectations.

The Role of the Access Committee

Most biobanks establish an independent Access Committee (or Data Access Committee, DAC). This committee is responsible for reviewing research proposals and deciding whether to grant access to samples and data. The committee’s composition typically includes scientists, ethicists, legal experts, and sometimes patient or public representatives. Its role is to ensure that:

The proposed research is scientifically and ethically sound.
The research is compatible with the original consent or legal basis for collection.
The requesting researcher has appropriate technical and organisational measures in place to protect the data.
Data minimisation principles are applied (i.e., the researcher gets only the data necessary for their project).

The Access Committee’s decisions and the rationale behind them are a critical part of the accountability record.

Data Sharing Agreements (DSAs)

When sharing data with external researchers or commercial entities, a formal Data Sharing Agreement is essential. This agreement is a form of the Article 28 processor contract (or a joint controller agreement under Article 26). It must specify:

The purpose and scope of the data sharing.
The types of data being shared (and the requirement to keep it pseudonymised).
Security measures required of the recipient.
Prohibitions on any further sharing or processing outside the agreed scope.
Requirements for data deletion or return after the project ends.
Auditing rights for the biobank.

For international transfers outside the EEA, additional layers of complexity are added, requiring mechanisms like Standard Contractual Clauses (SCCs) and a Transfer Impact Assessment (TIA) to ensure the data will be protected to an equivalent standard in the destination country.

Participant Rights in Practice

GDPR grants a range of rights to data subjects, which can be challenging to operationalise in a long-term, multi-project biobank setting.

The Right of Access

A participant can request a copy of all their personal data held by the biobank. This includes not just the raw data but also metadata about how their data has been used. For a biobank that has shared data with hundreds of researchers over a decade, compiling this information can be a monumental task. Systems must be designed from the outset to log data access and sharing, linking it back to the participant’s unique ID.

The Right to Erasure (Right to be Forgotten)

This right is not absolute. It can be limited if the processing is necessary for scientific research purposes, as long as the research is governed by Article 89 safeguards. However, the interpretation of this limitation varies. Some DPAs argue that a withdrawal of consent should lead to the cessation of future use, but not necessarily the destruction of data already incorporated into ongoing studies. Others allow for the “blocking” of data for future use while allowing current research to conclude. The biobank’s policy on withdrawal must be clearly communicated to participants at the outset and must be legally sound.

The Right to Data Portability

This right applies where processing is based on consent or a contract. It allows individuals to receive their data in a structured, commonly used, machine-readable format. In a biobank context, this might mean providing the clinical data associated with their sample. It does not apply to the biological material itself, nor does it apply if the processing is based on public interest. The biobank must be able to extract and provide this data in a usable format.

The Right to Restrict Processing

A participant can request that their data be “locked” (i.e., not processed further) while a dispute over its lawfulness or accuracy is resolved. For a biobank, this means flagging the record in the system to prevent it from being included in any new data pulls for research projects, without necessarily deleting it.

National Implementations and Cross-Border Nuances

The GDPR sets the floor, not the ceiling. Member States can introduce their own rules for specific processing areas, including research. This creates a patchwork

AI in Education: Fundamentals & Tools

Understanding AI Basics

Practical AI Tools for Educators

Integrating AI into Teaching

Case Studies & Success Stories

Ethical AI & Inclusive Practices

Ethical & Legal Frameworks for AI Systems

Equity & Inclusion

Transparency & Trust

Algorithmic Bias, Discrimination & Legal Risk

AI Errors, Accountability & Legal Responsibility

Institutional AI Governance & Policy Design

AI, Security & GDPR Compliance

Data Protection & Privacy

Cybersecurity in AI

EU Regulations & Policies

Engaging Parents & Guardians

Data Protection, Privacy & AI Governance

Additional Resources

Glossary of Terms

Templates & Guides

Webinars & Research

AI for Administrative & Pedagogical Support

AI for Time Management

AI in Student Performance Tracking

AI for Automated Communication

AI for Document Management

AI, Robotics & Biotech Regulation in Europe

EU AI Act Explained: Scope, Risk Levels, Obligations

AI-Enabled Products: Robots, Medical Software, Smart Devices

Machinery Regulation & Safety Standards for Intelligent Systems

AI in Healthcare & Biotech: MDR, IVDR, EMA

Liability & Responsibility for AI-Driven Systems

Compliance in Practice: From Risk Assessment to CE Marking

Country-Specific AI Regulation & Enforcement

How EU AI Law Is Applied at National Level

Different Compliance Models

National AI Sandboxes & Regulatory Experiments

Public Sector AI Rules Across Europe

Cross-Border AI Deployment Challenges

When National Law Overrides EU Guidance

Legal Cases, Enforcement & Real-World Precedents

AI Act, GDPR & Algorithmic Decision-Making Cases

Liability Disputes Involving Automated Systems

Robotics Accidents & Legal Responsibility

Medical & Biotech AI Failures: Lessons Learned

What Enforcement Trends Tell Us About Future Regulation