by Lina Jasmontaite, Brussels Privacy Hub, LSTS, VUB


On 6 February 2017, the Brussels Privacy Hub hosted a workshop addressing data protection issues in biobanking at the Institute of European Studies, the Vrije Universiteit Brussel. The workshop was organized within the scope of the BPH Workshops Series on the Implementation of the GDPR. The event gathered 21 participants representing a diverse stakeholder group, including representatives from industry, civil society, academia and data protection authorities.

Collection of human biological materials, in other words biological samples, has been incremental resource for biomedical research focusing on a particular disease. It was estimated that there were 176 biobanks in Europe in 2010. This number has been increasing and the advancements in science and technology have been redefining the way biobanks function (e.g., sample management and storage is increasingly centralized). In light of these developments the workshop  analyzed whether the framework meets interests and needs of industry (e.g., clinical research companies) and academic community.

Building on the premise that the EU data protection framework is of fundamental importance to biobanking activities in all Member States, Charlotte Ryckman from the law firm Covington & Burling and Professor Paul Quinn reflected on the way the General Data Protection Regulation (GDPR) will affect the current trends and practices in biobanking. Firstly, Charlotte Ryckman unravelled complexity surrounding this specific area by sharing insights about the way biobanking is regulated in Belgium, France and Italy. After reflecting on the implementation of Directive 2004/23/EC on setting standards of quality and safety for the use of human tissues and cells in the Member States, Charlotte Ryckman pointed out the key changes brought by the GDPR that may affect data processing practices in the context of biobanking activities.

Then, Professor Paul Quinn considered the use of open consent for collection of human biological materials. The key take-away messages of the workshop include the following:

Changing nature of a biological sample: It is not clear whether a biological sample as a physical item can be considered to be personal data. Even though the definition of personal data provided in the GDPR is very broad, it can be argued that a biological sample becomes personal data only once a set of operations are performed that allow to extract genetic and often health related data (for differences between these concepts see: Article 4 of the GDPR). Furthermore, different types of data that can be extracted from a biological sample (e.g., health data and genetic data) depend on available technology.

Legal uncertainty is here to stay: Although the GDPR harmonizes rules for the processing of personal throughout the EU, the legal regime applicable to biobanking will remain obscure and fragmented because of the following three reasons. First, the actual collection and use of biological samples is subject to requirements set forth by Directive 2004/23/EC. Member States have transposed this directive into their domestic laws governing the collection and use of human biological materials and therefore domestic regulation must be consulted before launching biobanking activities. Second, a biological sample per se is not considered to be personal data and therefore, application of the GDPR may be triggered only at the later stage of research where information (e.g., genetic data) is extracted from a particular sample. Thirdly, research activities related to biobanking may fall under the notion of scientific research and thus it vsn be subject to derogations introduced by Member States. In practice this means that the same biobanking activities may be subjected to different rules across Member States.

Different types of consent: According to Article 13 of Directive 2004/23/EC, ‘[t]he procurement of human tissues or cells shall be authorised only after all mandatory consent or authorisation requirements in force in the Member State concerned have been met’. Member States are required to take all necessary steps ensuring that anyone consenting to biobanking are provided with the information about ‘the purpose and nature of the procurement, its consequences and risks; analytical tests, if they are performed; recording and protection of donor data, medical confidentiality; therapeutic purpose and potential benefits and information on the applicable safeguards intended to protect the donor’ (see: Annex of Directive 2004/23/EC). This obligation so far has caused confusion. Some have argued that such consent can be considered to provide legitimate basis for the processing and further processing of personal data and suggested to introduce the notion of ‘open consent’ (by some referred to dynamic, sectorial, and democratic consent). But it should be noted that consent obtained for the collection of biological materials entails different requirements than consent within the scope EU data protection rules, where consent is considered to be a legal basis for the processing of personal data. The high bar consent under the GDPR requires it to be ‘a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her’ (Recital 32). Article 13 of the GDPR requires that information notice provided to individuals whose data will be processed include the following information: the identity and the contact details of the controller (and where applicable the data protection officer), types of data processed and the purposes of the processing; the legal basis for the processing, the recipients or categories of recipients of the personal data, and when relevant, the controller should communicate that intends to transfer personal data to a third country or international organization. Provided the ambiguity of consent used in clinical research it was suggested to consider another legal basis legitimating the processing of personal data in case of biobanking activities.

Layered consent instead of open: Recital 33 of the GDPR seems to provide some leeway with regard to use of consent in the context of scientific research. In particular, this recital notes that ‘[i]t is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognized ethical standards for scientific research’. This means individuals should be able to consent to some specific parts of research.

Future of biobanking: It has been suggested that the GDPR facilitates scientific research and therefore biobanking activities by providing more flexibility with data processing requirements (e.g., storage time). Until the European data protection regulators issue additional guidance on the matter at stake, Member States regulation will have to be consulted first before launching biobanking activities.

The next Brussels Privacy Hub workshop from the series on the implementation of the GDPR will address data protection issues arising from the use of smart grids in the energy sector. The workshop will take place on 21 March 2017. For more information about upcoming BPH events, please visit the BPH website or contact us at

Connect with us

Brussels Privacy Hub

Law Science Technology & Society (LSTS)

Vrije Universiteit Brussel

Pleinlaan 2 • 1050 Brussels



Stay informed

Keep up to date of our activities and developments. Sign up to our newsletter:

My Newsletter

Copyright © Brussels Privacy Hub