Informed Consent in Biobank Research: Practical Patterns That Work

PostedMarch 7, 2025

ByIuliia Gorshkova

Consent in biobank research has evolved from a simple permission slip into a complex, long-term governance instrument. In the European Union, it is the cornerstone for lawful processing of health data under the General Data Protection Regulation (GDPR), the specific regime for human genetic and health data under the European Health Data Space (EHDS) Regulation, and the ethics requirements of the Clinical Trials Regulation and the Medical Device Regulation. It is also a trust mechanism: participants need to understand what they are agreeing to, and researchers need legal certainty that their data use is valid. The challenge is that biobanks operate over decades, involve multiple future research uses, and increasingly share data across borders. A static, one-time signature cannot address these realities. This article examines practical consent patterns used in EU biobank research, explains how they interact with legal requirements, and outlines governance safeguards that keep participant trust while enabling science.

Legal and Ethical Foundations for Consent in EU Biobanking

Consent is not a single concept in EU law. It is defined and applied differently across instruments, and understanding these distinctions is essential to designing a compliant and trustworthy consent model.

GDPR: Lawful Basis and Special Categories

Under the GDPR, consent is one lawful basis for processing personal data (Article 6). For health and genetic data, which are “special categories” of personal data (Article 9), explicit consent is one of the conditions that can permit processing. However, the GDPR does not require consent for all research. Article 89 provides a research exemption that can allow processing of special categories for scientific research purposes, subject to appropriate safeguards. Member States can provide further conditions and exemptions. In practice, many biobanks use a combination of bases: consent for participation and data collection, and the research exemption for specific downstream uses, often supplemented by a data protection impact assessment (DPIA) and technical and organizational measures (TOMs).

Key point: Under GDPR, consent must be freely given, specific, informed, and unambiguous. For special categories, it must be explicit. It must also be as easy to withdraw as to give. A withdrawal should stop new processing, though it may not always allow erasure of data already used or aggregated in research outputs.

EHDS Regulation: Secondary Use and “Broad Consent”

The European Health Data Space (EHDS) Regulation (EU) 2025/… introduces a harmonized regime for the secondary use of electronic health data for research, policy, and regulatory purposes. It establishes “health data access bodies” and a framework for “data altruism.” Crucially, it recognizes the concept of broad consent for secondary use of health data for scientific research purposes, provided specific requirements are met. Broad consent under EHDS is not a blank check; it must be specific about the purposes of processing, the categories of data, and the safeguards applied. It must also be linked to governance mechanisms, including oversight by ethics committees and data access bodies. EHDS also requires that participants be informed about the possibility of future research uses and about withdrawal rights.

Clinical Trials Regulation and Medical Device Regulation

The Clinical Trials Regulation (EU) No 536/2014 requires informed consent for participation in clinical trials, with strict rules on information, voluntariness, and the capacity to consent. The Medical Device Regulation (EU) 2017/745 also governs performance studies for devices and requires appropriate consent for the use of human tissue and data. In biobank-linked trials, consent must satisfy both the trial-specific requirements and GDPR/EHDS. This often leads to layered consent documents that separate trial participation from future biobank research uses.

Ethics Governance and National Implementations

At the national level, ethics committees and competent authorities apply additional rules. For example, France’s CNIL and the Bioethics Laws impose specific requirements for consent to biobanking and secondary research. Germany’s Medical Research Act (Medizinforschungsgesetz) and the Digital Healthcare Act have refined consent and data use rules for research, including provisions for “broad consent” under research-specific conditions. The Netherlands’ Wet medisch-wetenschappelijk onderzoek met mensen (WMO) and the Health Data Registration Act provide frameworks for biobank governance and consent. Belgium’s Royal Decree on Biobanks and the GDPR implementation law set conditions for consent and oversight. Finland’s Biobank Act allows for broad consent and data use under strict governance, with a strong role for the Finnish Social and Health Data Permit Authority (Findata). Sweden’s Biobanks in Medical Care Act and the new Health Data Act (2024) support broad consent and data sharing under oversight. Denmark’s Research Ethics Committee system and the Data Protection Agency have guidance on broad consent and withdrawal. Italy’s Guarantor for the Protection of Personal Data and the National Bioethics Committee provide guidance on biobanking and consent. Spain’s regional ethics committees and the Spanish Data Protection Agency (AEPD) apply GDPR and national law, with attention to dynamic consent models. Estonia’s e-health system and biobank governance integrate consent with national digital infrastructure. The UK, while no longer in the EU, remains relevant for comparison: the UK Health Research Authority’s framework for broad consent and the UK GDPR are often referenced in EU discussions.

Consent Models: Broad, Dynamic, Tiered

Biobanks typically choose among three main consent models, sometimes combining them. Each has strengths and limitations in terms of legal validity, operational feasibility, and participant trust.

Broad Consent

Broad consent is a single, informed agreement that allows future research uses within defined boundaries. It is widely used in EU biobanks because it supports long-term data utility without requiring re-contact for every new study. Under GDPR and EHDS, broad consent must be specific enough to satisfy the “informed” requirement. This means participants should understand:

the types of research that may be conducted (e.g., disease research, population health, methodological studies);
the categories of data involved (e.g., genomic sequences, clinical records, lifestyle data);
who might access the data (e.g., academic researchers, public health bodies, industry partners under strict conditions);
the safeguards in place (e.g., ethics oversight, data minimization, pseudonymization, access controls);
the possibility and implications of withdrawal.

Practical pattern: Many EU biobanks use broad consent combined with a governance framework that includes an independent access committee, data use agreements, and a public register of studies. This approach is common in Finland, Sweden, Denmark, and Estonia. It is also supported by EHDS as a valid model for secondary use, provided the requirements are met.

Risks and mitigations: Broad consent can be perceived as “too broad.” To maintain trust, biobanks provide layered information: a concise summary at the point of consent, plus detailed documentation and web resources. They also implement dynamic elements, such as periodic updates and the ability to opt out of certain categories of research (e.g., commercial use).

Dynamic Consent

Dynamic consent is an interactive, digital approach that allows participants to review and adjust their preferences over time. It supports granular choices (e.g., types of studies, data sharing levels) and provides feedback about research outcomes. Dynamic consent is not a separate legal basis; it is a way to implement and manage consent under GDPR. It can be used alongside broad or tiered consent.

Practical pattern: Dynamic consent platforms are used in several EU biobanks, often integrated with national e-health portals. Participants receive notifications about new research proposals, can update preferences, and can withdraw easily. The UK’s “Our Future Health” program and the Nordic biobanks have pioneered this approach. In the EU, Spain’s and Estonia’s digital infrastructures support dynamic consent features.

Benefits: Increases transparency and trust, supports withdrawal, and allows biobanks to demonstrate ongoing compliance. It can also improve data quality by keeping contact details and preferences current.

Challenges: Requires robust IT infrastructure, cybersecurity, and resources to manage communications. It may also create “consent fatigue” if overused. To mitigate, biobanks limit notifications to meaningful updates and provide clear summaries.

Tiered Consent

Tiered consent offers participants a set of choices at the point of entry, such as whether their data can be used for specific research domains (e.g., cancer research only), whether it can be shared internationally, or whether it can be used for commercial research. It can be combined with broad consent for unspecified future uses within the chosen tiers.

Practical pattern: Tiered consent is common in biobanks linked to clinical trials or disease-specific registries. For example, a cancer biobank may allow participants to opt in for genomic research but opt out of pharmaceutical industry access. In Germany and France, tiered consent is often used to align with national ethics guidance that emphasizes specificity.

Benefits: Respects participant preferences and can increase participation rates by offering control.

Challenges: It can complicate data management and reduce the pool of data available for cross-disease or methodological studies. It also requires careful governance to ensure that “opt-out” categories are respected technically and legally.

Governance Safeguards That Make Consent Work

Consent is only as strong as the governance that supports it. EU biobanks rely on a layered set of safeguards to ensure legal compliance and maintain trust.

Ethics and Data Access Oversight

Independent ethics committees and data access committees review research proposals. They assess whether the use aligns with the consent scope, whether data minimization is applied, and whether risks are proportionate. Under EHDS, health data access bodies will play a formal role in authorizing secondary use. Biobanks often publish access criteria and decisions to enhance transparency.

Data Protection by Design and by Default

Technical safeguards include pseudonymization, encryption, secure enclaves, and access controls. Organizational measures include data processing agreements, role-based access, audit trails, and breach response plans. The principle of data minimization means that only necessary data are shared, and only for the approved purpose. For genomic data, this may involve sharing only variant lists rather than raw sequences, or applying privacy-preserving analytics.

Transparency and Participant Information

Clear, layered information is essential. At the point of consent, participants receive a summary that explains the key points in plain language. Detailed documentation is available online or on request. Biobanks also provide ongoing updates via newsletters, portals, or dynamic consent platforms. They explain how withdrawal works and what it means for ongoing research.

Withdrawal Mechanisms

Withdrawal must be easy and effective. When a participant withdraws, biobanks stop new processing and exclude the participant’s data from future studies. However, it may not be feasible to retract data already included in published results or aggregated datasets. Biobanks should explain this clearly at the outset. Some biobanks allow “partial withdrawal,” such as opting out of future commercial use while remaining in academic studies.

Data Sharing and International Transfers

EU biobanks often share data with international consortia. This requires appropriate safeguards, such as Standard Contractual Clauses (SCCs) or adequacy decisions. EHDS will introduce harmonized conditions for cross-border sharing within the EU, simplifying compliance. For sensitive genomic data, additional technical safeguards are recommended, such as federated analysis and controlled access repositories.

Re-contact and Re-consent Policies

Biobanks must decide when to re-contact participants. Re-contact is required if there is new information that materially affects the participant’s willingness to continue (e.g., findings with clinical implications). It may also be needed if the research scope expands beyond the original consent. Re-consent is generally required for uses that fall outside the consent’s scope or where the legal basis changes. Policies should be documented and approved by ethics committees.

Comparative Views Across Europe

While EU law provides a common floor, national practices vary. Understanding these differences helps biobanks design consent models that work across jurisdictions.

Nordic Countries: Broad Consent with Strong Governance

Finland, Sweden, Denmark, and Norway have well-established biobank laws that support broad consent and secondary use. Finland’s Biobank Act allows broad consent and requires oversight by biobank ethics committees. Sweden’s Biobanks in Medical Care Act and the new Health Data Act enable broad consent and data sharing under national oversight. Denmark’s research ethics system supports broad consent with clear withdrawal procedures. These countries combine broad consent with dynamic elements (e.g., participant portals) and robust data access governance. EHDS alignment is expected to further harmonize these practices.

Germany: Specificity and Research Consent

Germany emphasizes specificity in consent and has introduced “research consent” frameworks under the Medizinforschungsgesetz. Broad consent is permitted but must be accompanied by strong governance and transparency. The Digital Healthcare Act supports data use for research, but ethics committees play a central role in approving secondary uses. Tiered consent is common, and dynamic consent is encouraged to enhance participant control.

France: Bioethics Laws and CNIL Guidance

France’s bioethics laws and CNIL guidance require explicit consent for biobanking and secondary research. Broad consent is recognized but must be detailed and supported by ethics oversight. Dynamic consent is supported as a way to maintain engagement. Data sharing with industry is subject to strict controls, and participants must be informed about commercial use.

Belgium and the Netherlands: Balanced Models

Belgium’s Royal Decree on Biobanks and GDPR implementation law set conditions for consent and oversight. The Netherlands’ WMO and Health Data Registration Act support broad consent and dynamic consent, with strong roles for ethics committees and data protection authorities. Both countries emphasize transparency and participant information.

Spain and Italy: Regional and National Variations

Spain’s regional ethics committees and the AEPD provide guidance on consent models. Dynamic consent is supported in some regions, and broad consent is used under EHDS-aligned governance. Italy’s Guarantor and National Bioethics Committee emphasize explicit consent and ethics oversight, with increasing use of digital tools for participant engagement.

Estonia: Digital Infrastructure and Consent Integration

Estonia’s e-health system integrates consent with national digital infrastructure. Participants can manage preferences through portals, and biobanks use dynamic consent features. The country’s approach demonstrates how digital governance can support both broad consent and granular control.

United Kingdom (for Comparison)

The UK’s “Our Future Health” program uses dynamic consent and broad consent under the UK GDPR and Health Research Authority framework. The UK’s approach to participant engagement and transparency is often cited as a model for EU biobanks, even though the legal context differs.

Practical Patterns That Work: Designing Consent for Long-Term Research

Based on EU practice, the following patterns have proven effective in balancing legal compliance, operational feasibility, and participant trust.

Layered Information Architecture

Provide a concise, plain-language summary at the point of consent, with links to detailed documents. Use visuals and FAQs to explain the scope, risks, and benefits. Offer multilingual materials where appropriate. This supports GDPR’s requirement for informed consent and EHDS expectations for transparency.

Hybrid Consent Models

Combine broad consent for general research with tiered choices for sensitive categories (e.g., commercial use, international sharing). Add dynamic consent features to allow participants to review and adjust preferences over time. This hybrid approach is flexible and aligns with diverse national practices.

Clear Governance and Access Policies

Document the criteria for data access, the composition of access committees, and the decision-making process. Publish summaries of approved studies and data uses. This builds trust and demonstrates compliance with GDPR accountability and EHDS governance requirements.

Proportional Re-Contact and Re-Consent

Define triggers for re-contact (e.g., new clinical findings, significant scope changes). Use re-consent when the research moves beyond the original consent boundaries. Avoid unnecessary re-contact to prevent consent fatigue; instead, use dynamic consent portals for routine updates.

Robust Withdrawal Mechanisms

Offer easy withdrawal via multiple channels (portal, phone, email). Explain the practical implications, including the inability to retract data already used in aggregated results. Consider partial withdrawal options to accommodate specific concerns.

Privacy-Preserving Data Sharing

Use pseudonymization, federated analysis, and controlled access repositories. For international transfers, implement SCCs and technical safeguards. Align with EHDS mechanisms for cross-border sharing where applicable.

Participant Feedback and Engagement

Provide regular updates about research outcomes, publications, and biobank activities. Invite participant input on governance and policies. This fosters a sense of partnership and enhances trust.

Continuous Compliance Monitoring

Conduct regular DPIAs, audits, and training. Monitor changes in law and ethics guidance. Update consent materials and governance policies accordingly. Maintain records to demonstrate compliance with GDPR, EHDS, and national requirements.

Common Pitfalls and How to Avoid Them

Even well-designed consent models can fail if implementation is weak. The following pitfalls are common in EU biobank research.

Overly Broad Language

Using vague phrases like “any future research” without specifying categories, safeguards, or data types can undermine informed consent. Mitigate by providing clear boundaries and examples, and by linking to governance documents.

Ignoring National Specificities

Assuming that a single consent model works across all EU jurisdictions can lead to compliance gaps. Mitigate by mapping national requirements and designing flexible consent options that can be adapted per country.

Weak Withdrawal Processes

Requiring complex procedures or refusing to acknowledge withdrawals erodes trust. Mitigate by offering simple, accessible withdrawal mechanisms and clear explanations of practical limits.

Insufficient Transparency About Commercial Use

Participants are often concerned about industry access. Mitigate by disclosing commercial use explicitly, explaining safeguards (e.g., data

AI in Education: Fundamentals & Tools

Understanding AI Basics

Practical AI Tools for Educators

Integrating AI into Teaching

Case Studies & Success Stories

Ethical AI & Inclusive Practices

Ethical & Legal Frameworks for AI Systems

Equity & Inclusion

Transparency & Trust

Algorithmic Bias, Discrimination & Legal Risk

AI Errors, Accountability & Legal Responsibility

Institutional AI Governance & Policy Design

AI, Security & GDPR Compliance

Data Protection & Privacy

Cybersecurity in AI

EU Regulations & Policies

Engaging Parents & Guardians

Data Protection, Privacy & AI Governance

Additional Resources

Glossary of Terms

Templates & Guides

Webinars & Research

AI for Administrative & Pedagogical Support

AI for Time Management

AI in Student Performance Tracking

AI for Automated Communication

AI for Document Management

AI, Robotics & Biotech Regulation in Europe

EU AI Act Explained: Scope, Risk Levels, Obligations

AI-Enabled Products: Robots, Medical Software, Smart Devices

Machinery Regulation & Safety Standards for Intelligent Systems

AI in Healthcare & Biotech: MDR, IVDR, EMA

Liability & Responsibility for AI-Driven Systems

Compliance in Practice: From Risk Assessment to CE Marking

Country-Specific AI Regulation & Enforcement

How EU AI Law Is Applied at National Level

Different Compliance Models

National AI Sandboxes & Regulatory Experiments

Public Sector AI Rules Across Europe

Cross-Border AI Deployment Challenges

When National Law Overrides EU Guidance

Legal Cases, Enforcement & Real-World Precedents

AI Act, GDPR & Algorithmic Decision-Making Cases

Liability Disputes Involving Automated Systems

Robotics Accidents & Legal Responsibility

Medical & Biotech AI Failures: Lessons Learned

What Enforcement Trends Tell Us About Future Regulation