GDPR Requirements for Biobanking Activities Across Europe

Preface
	Taking Responsibility: The Value and Handling of Data in Modern Medicine in the Light of the New GDPR
Acknowledgement
Contents
Introduction
	References
Medical Research and Data Protection in Europe. The Emergence of General Legal Principles
	References
Part I: Syllabus of the Burning Questions
	Anonymisation (Part I)
		1 Introduction
		2 Anonymisation in the General Data Protection Regulation
		3 General Framework for Data Access in the EHDS Proposal
		4 Conclusions: The Anonymisation of Health Data in Health Research Projects
		References
	Anonymisation: The Trap for Biobanking (Part II)
		1 Introduction
		2 Coded Data in Biobanking and the Concept of Anonymisation
		3 Consequences of Anonymisation of Personal Data
		4 Conclusion
		References
	Applying National Law in Cross-Border Research Activity
		1 Introduction
		2 Application of GDPR at National Levels: The Laws Relevant to Cross-Border Research Projects and Conflict of Laws
		3 Equal Treatment of All Individuals in One Study/Research Activity
		4 The Answers From the European EDPB About a Heterogeneous/Different Legal Basis for Processing Health Data of Different Indiv...
		5 The Lack of Rules with Regard to the Issue of a Possible Intra-EU Conflict of Laws in the Scenario of the GDPR
		6 The One-Stop-Shop Mechanism Identifies the Lead Supervisory Authority for Cross-Border Processing
		7 Is Using Recital 153 GDPR in an Analogic Manner a Potential Solution?
		8 Conclusion
		References
	Archived Tissue
		1 Introduction
		2 The Possible Definitions of `Archive´ and, Consequently, of `Archived Tissues´
		3 Consent Required for the Use of Biological Materials and Related Personal Data in Research Activities
		4 Historical Tissue Archives and the Absence of Express Consent
		5 Current Tissue Archives, Secondary Use and Conservation Obligation
		6 Conclusion
		References
	Blockchain and Dynamic Consent
		1 Introduction
		2 The Blockchain for Biobanking: The Most Relevant Projects So Far
		3 Valuable Blockchain Functions for Dynamic Consent in Biobanking
		4 Blockchains for Biobanking Under the GDPR
		5 Conclusion
		References
	Brexit Effects
		1 Introduction
		2 The `Brexit Effect´ on Data and Biological Samples
		3 The Flow of Health Data: Waiting for an Adequacy Decision
		4 The Transfer of Biological Samples
		5 Conclusion
		References
	Broad Consent
		1 Introduction
		2 Advantages and Disadvantages of Broad Consent
		3 Donors´ Views on Broad Consent
		4 Consent for Governance
		5 Conclusion
		References
	Cloud
		1 Introduction. The Use of the Cloud in Research
		2 Risks of the Cloud
		3 Measures and Penalties
		4 Conclusion
		References
	Consent Requirements
		1 Introduction
		2 The Adequacy of the Information
		3 Information to Be Provided
			3.1 Relationships with the Research Group and Research Establishment
			3.2 Legal Base, Purpose and Context of the Research Activity
			3.3 Risks and Other Consequences
			3.4 Information Concerning Storage, Security and Confidentially
			3.5 Categories of Recipients and International Transfer of Data and Materials
			3.6 Rights of the Person Involved in the Research Activities
			3.7 Additional Information
		4 Withdrawal and Freedom of Consent
		5 Form of the Information and of Consent
		6 Conclusion
		References
	Consent and Assent by Children
		1 Introduction
		2 Children´s Consent or Assent in Biobanks
			2.1 The Legal Context
			2.2 Age to Be Considered
		3 What Should Be Done When They Reach the Age: Obligations and Recommendations
		4 Conclusion
		References
	Consent and Technology
		1 Introduction
		2 A New Model for Consent: Dynamic Consent
		3 The Potential of a Dynamic Consent Interface
		4 Conclusion
		References
	Consent from Children and Vulnerable People
		1 Introduction
		2 Consent as an Ongoing Process for Medical Assistance
		3 The Legal Representative and Best Interest Decisions
		4 The Spanish Example in Tackling Health and Disability
		5 Conclusion
		References
	Consent Withdrawal
		1 Introduction
		2 Some Elements to Focus the Meaning of Withdrawal in Light of the GDPR
		3 The Impact of the Withdrawal on the Purely Research Activity and/or Clinical Trial
		4 The Case of Withdrawal of Consent and Other Legal Bases for Personal Data
		5 Conclusion
		References
	Covid-19
		1 Introduction
		2 Alternative Legal Basis to Consent: Public Interest or Legitimate Interest of the Data Controller
		3 Management of Personal Data for Scientific Research Purposes Related to the COVID-19 Pandemic: Transparency, Information, Re...
		4 Conclusion
		References
	Dynamic Consent
		1 Introduction
		2 Setting the Scene for Dynamic Consent
		3 Dynamic Consent in Practice
		4 The Information Conveyed and How to Express Dynamic Consent
		5 Conclusion
		References
	Ethics Committees
		1 Introduction
		2 Ethics Committees
		3 Mandatory and Non-Mandatory Ethics Committees
		4 Composition and Functions of the Ethics Committees
		5 Ethics Advisors Within EU Programmes
		6 Conclusion
		References
	Ethic and Biobanks
		1 Introduction
		2 Data Protection Impact Assessment
		3 The Population Biobank Code of Ethics
		4 Towards a Model of `Mixed´ (Specific and Broad) Informed Consent
		5 Conclusion
		References
	Ethical Principles and Legal Provisions
		1 Ethical Principles Within EU Law
		2 Dignity
		3 Self-Determination
		4 Solidarity
		5 Prevention of Risks and the Precautionary Principle
		6 Proportionality
		7 Proportionality and Research Biobanks
		References
	EU Legislation and Health Data Protection
		1 Introduction
		2 Personal Data Protection and the EU Treaties: Are There Articles of the EU Founding Treaties that Regulate Personal Data Pro...
		3 The Bridge Between the EU Treaties and the GDPR: What Is the Role of the GDPR in the Legal Mechanism for Personal Data Prote...
		4 The Key Principles of Personal Data Protection in the European Union: Which Principles Apply to Personal Data Protection in ...
		5 Conclusions: How Efficient Is the Legal Mechanism that Regulates the Protection of Personal Data?
		References
	Forensic Databases (Part I)
		1 Introduction
		2 Legislation Applicable and Standards of Conduct
		3 Data and Material Retention
			3.1 Criteria for Entering Individual Profiles
			3.2 Rules for the Destruction of the Sample Used for the Creation of the DNA Profile
			3.3 Retention Time of the DNA Profile of a Convicted Person
			3.4 Circumstances Requiring the Deletion of the DNA Profile
		4 Conclusion
		References
	Forensic Databases (Part II)
		1 Introduction: Issues Regarding the Circulation of DNA Profiles Within the EU and Non-EU Countries
		2 Challenges Surrounding the Prüm Decisions
		3 Controversies Around Secondary Uses
		4 Ethical Questions Associated with the Use of Forensic DNA Databases
		5 Conclusion
		References
	Future Research
		1 Introduction
		2 Defining `Scientific Research´
		3 Ethical Dimensions of Research Activity
		4 `Academic Expression´ and Scientific Research in Light of the GDPR
		5 Current State of Knowledge and Future Research
		6 Conclusion
		References
	Genetic Data
		1 Introduction
		2 The Special Status of Genetic Data
		3 The Use of Genetic Information in the Context of Research Activities in Particular: The Specific Issues
		4 Information Shared Between Persons of the Same Genetic Group
		5 Conclusions
		References
	Granularity
		1 Introduction
		2 `Granularity´ of Consent and Special Rules for Consent in Research Activities
		3 Issues Concerning the Exceptions to the Requirement for Specific Consent
		4 Conclusions
		References
	Imaging Biobank
		1 Introduction
		2 Imaging Biobanks
		3 The Relationship Between GDPR and Images in the Light of Imaging Biobanks and Imaging Biomarkers
		4 Fairness in AI Systems in the Light of the GDPR
		5 Conclusion
		References
	Industry Perspective
		1 Introduction
		2 The GDPR as One Element Within a Complex Legal Framework
		3 The Decisive Factor: Taking a Stance on Anonymisation
		4 Contractual Building Blocks: Covering the Past, the Present and the Future
		5 Conclusion
		References
	Joint Controller Agreement
		1 Introduction
		2 The Essence of the Joint Controller Agreement: Purposes and Means of the Processing of Personal Data
		3 Terms of the Arrangement Between Joint Controllers
		4 The Arrangement Between Controller and Processor
		5 Conclusion
		References
	Legitimate Interests
		1 Introduction
		2 Legitimate Interest as Grounds for Data Processing
		3 Processing Retrospective Health Data and Tumour Tissue on Grounds of Legitimate Interest
		4 Conclusion
		References
	Ownership of Human Biological Material
		1 Introduction
		2 The Legal Framework May Be Subject to the Processing for Commercial and Research Purposes Because of Human Tissues
		3 Some Legal Issues for Biobank Policies and Procedures for the Exploitation of Material Stored in a Biobank and Associated Da...
		4 Conclusion
		References
	Paediatric Biobanks (General Overview)
		1 Introduction. The Principle of Solidarity and Research Biobanks
		2 General Framework for Ethics and Functioning of a Paediatric Biobank: Benefits and Risks
		3 Consent and Protection of Personal Data, General Overview
			3.1 Informed Consent and Recruitment Procedures for a Research Paediatric Biobank
			3.2 Process Digitisation for the Acquisition of Informed Consent
		4 Conclusion
		References
	Public Interest
		1 Introduction
		2 Understanding the Concept of `Public Interest´
		3 The Public Interest Under the GDPR
		4 The Application of Public Interest
		5 Who Decides What Is in the Public Interest?
		6 Conclusion
		References
	Rare Diseases and Data Protection (Part I)
		1 Introduction
		2 Data Protection Issues in Research on Rare Diseases
		3 The Method to Apply the GDPR to Support Research on Rare Diseases
		4 Conclusion
		References
	Rare Diseases and Legal, Ethical, Technical and Societal Needs (Part II)
		1 Introduction
		2 On Rare Diseases, Sample Collections and Orphan Drugs
		3 The Way Forward
		4 Conclusion
		References
	Rare Paediatric Diseases
		1 Introduction
		2 The Challenges to Consent/Assent in Rare Paediatric Diseases
		3 Processing Data and Consent Models: The GDPR and Beyond
			3.1 The Dynamic Consent Option
		4 Conclusion
		References
	Residual Material
		1 Introduction
		2 Principles and Safeguards
		3 The Helsinki Declaration, the Council of Europe Recommendation on Research on Biological Materials of Human Origin and the G...
		4 Practising or Non-Practising Consent
		5 Conclusion
		References
	Retention Time: Conservation of Personal Data (Part I)
		1 Introduction: Biobanks and Personal Data
		2 The Legal Framework: Personal Data Protection in European Law and in the Legal Systems of Member Countries
		3 Data Retention Time: Four Key Guidelines
		4 Conclusions
		References
	Retention Time: Conservation of Tissues (Part II)
		1 Introduction
		2 Biological Substances of Human Origin: The Regulatory Framework
		3 Tissues of Human Origin as Biological Materials
		4 Biobanks
		5 A Reconstructive Proposal: Biological Materials and Biological Samples
		6 Tripartition of Biological Samples
		7 The Retention Time of Tissues
		References
	Retrospective Research
		1 Introduction
		2 Link Between Broad Consent and Secondary Use of Health Data
		3 Assessment of Compatibility of the Purposes of Data Processing
		4 The Assessment of the Issue Is Related to the Activities of Biobanks
		5 Conclusion
		References
	Scientific Research and the Biomedical Sector. Requirements and Methods for Planning and Managing a ``Data Protection by Desig...
		1 The GDPR Regime on Scientific Research and the Biomedical Sector
		2 The Data Protection by Design Requirement
		3 Guidance for a Compliant Biobank-Based Research Project
		References
	Secondary Use (Part I)
		1 Introduction
		2 Secondary Use
		3 The Consent Scenarios
		4 Rules for Pseudo-anonymous Data
		5 Conclusion
		References
	Secondary Use and Dual Use of Biomaterial Samples (Part II)
		1 Introduction
		2 Secondary Use and Dual Use of Biomaterial Samples
		3 Informed Consent Issues
		4 Conclusion
		References
	Transfer of the Personal Data for Research Purposes Towards Non-EU Countries
		1 Introduction
		2 The Case of the United States
		3 The Case of the United Kingdom
		4 Transfer of Personal Data Without a Commission´s Adequacy Decision
		5 Transfer of Personal Data for Research Purposes Towards Non-EU Countries
		6 Conclusion
		Reference
	Users
		1 Introduction
		2 The Concept of End-Users
		3 Conclusion
		References
Part II: Biobanking Legal and Ethical Requirements Across Europe: National Reports (in Alphabetic Order)
	Towards Regulation for the European Health Data Research: A Comparative Analysis
		1 Introduction
		2 General Data Protection Regulation and Health Research
		3 Conclusion. Requirements for the Processing of Health Data in the Data Governance Act Scenario and the Regulatory Future of ...
	Austria
		1 Introduction
		2 Freedom of Science
		3 Organisation of Research
			3.1 General Conditions
			3.2 Obligations of Research Institutions
		4 Conclusion
		References
	Belgium
		1 Introduction
		2 The Protection of Natural Persons in the Processing of Special Categories of Personal Data for Archiving Purposes in the Pub...
		3 The Specific Law on Biobank Activities
		4 The Secondary Use of Personal Data
		5 Secondary Use and Residual Human Tissues
		6 Conclusion
		References
	Bulgaria
		1 Introduction
		2 National Regulations Related to the Processing of Personal Data for Research Purposes
			2.1 The Bulgarian Data Protection Act (BG-DPA)
		3 The Bulgarian Health Act (HA)
			3.1 Health Data
			3.2 Medical Research on Humans and Genetic Research
				3.2.1 Medical Research on Humans
				3.2.2 Genetic Research
		4 Other Regulations
			4.1 Regulation No. 1 of 27.02.2013
			4.2 Regulation No. 1 of 30.01.2013
			4.3 Regulation No. 41 of 21.12.2005
			4.4 Regulation No. 31 of 12.08.2007
			4.5 Regulation Establishing the Conditions and Procedure for Conducting Medical-Scientific Research as a Project
			4.6 Code of Professional Ethics of Doctors in Bulgaria
			4.7 Decree No. 38 of 20.08.2010
		5 Organ, Tissue and Cell Transplantation Act (    ,    - )
		6 Conclusion
		References
	Croatia
		1 Introduction
		2 Biobanks in Croatia
		3 Croatian Legislation on Collection of Tissues and Samples and Processing of Data for Research
		4 Conclusion
		References
	Cyprus
		1 Introduction
		2 The Data Protection Law in Cyprus: Exceptions and Safeguards
		3 An Example of Ethical Institutionalisation: The Cyprus National Bioethics Committee
		4 Biobanking: The Legal State of the Art and the Cyprus Human Genome Project
		5 Conclusion
		References
	Czech Republic
		1 Introduction
		2 Czech Republic
			2.1 Regulation on Data Processing
			2.2 Specific Issues of Health Data Processing
		3 Conclusion
		References
	Denmark
		1 Introduction
		2 Regulation on Biobanks in Denmark
		3 Processing of Personal Data for Research Purposes and the GDPR
		4 Conclusion
		References
	Estonia
		1 Introduction
		2 National Legal Framework for the Processing of Personal Data
		3 Biobanking in Estonia
		4 Research Ethics Committees: Ethics and Research Oversight
		5 Conclusion
		References
	Finland
		1 Biobanking in Finland: Reference Texts, Requirements and Legal Obligations
		2 The Protection of Personal Data and the Exceptions for Scientific Research Purposes
		3 The Re-use of Old Samples
			3.1 Secondary Use of Health Data
		4 The Retention Period of Samples and Data
		5 Conclusion
		References
	France
		1 Introduction
		2 Scientific Research and Biobanking in France Legal Framework
			2.1 The Activity of Biobanks Between the Declaration and Authorization Regime
			2.2 The Chain of Operations and Responsibilities
			2.3 The Essential Consent of the Patient
			2.4 The Protection of Data Associated with the Sample and Personal Data
		3 Conclusion
		References
	Germany
		1 Introduction
			1.1 The Presentation of § 27 BDSG
			1.2 Potential Single Questions: The Interpretation of § 27 BDSG in the Individual Case
		2 The Valuation Standard: The Differentiation Between Fully Harmonised and Not-Determined Specific European Union Law
		3 The Protection of the Data Controller
		4 The Protection of the Data Subject
		5 Conceivable Parameters for the Process of Consideration
		6 Conclusion
		References
	Greece
		1 Introduction
		2 Scientific Research: Exceptions and Specific Measures
		3 The Core Principle of Purpose Limitation and the Re-Use of Personal Data
		4 Biobanking
		5 Conclusions
	Hungary
		1 Introduction
		2 Legal Basis for Processing of Health Data, Biometric and Genetic Data for Research Purposes
			2.1 Research Exemption: Special Rules for Scientific Research on Health Data
			2.2 Genetic Data and Biometric Data
		3 Legal Requirements for the Use and Re-Use of Health Data
			3.1 Historical Archives of Health Data and Research Based on the Biobank Act
			3.2 Specific Legal Requirements of Biobanking Activities: Conservation of Tissues, DNA and RNA from Tissues
		4 Special Law on Biohacking Activities
		5 Conclusion
		References
	Ireland
		1 Introduction
		2 The GDPR and Its Consequences on Health Data Processing
		3 Processing of Personal Data for Research Purposes
		4 Tissue Issue
		5 Conclusion
		References
	Italy
		1 Introduction
		2 Treatment of Genetic and Health-Related Data
		3 Special Provisions for Medical, Biomedical, and Epidemiological Research
		4 Exceptions, for Scientific Reasons, to the Regulation of Information and Consent
			4.1 Retention Period
		5 `Secondary Use´ and Bio-archives
		6 Conclusion
		References
	Latvia
		1 Introduction
		2 The GDPR and the Latvian Legal Framework: Exceptions and Consent
		3 Additional Conditions on the Right to Be Informed, Participation in Clinical Trials and the Processing of Data for Scientifi...
		4 Biobanking in Latvia
			4.1 The Interplay of the Protection of Privacy, Informed Consent and Rights of the Research Participants in the Genome Database
		5 Conclusion
		References
	Lithuania
		1 Introduction
		2 Data Subject Rights at the Crossroad of the GDPR and the Law on Ethics for Biomedical Research
		3 Biobanking and Processing of Information and Human Samples
		4 The Lithuanian System of Ethical Review of Biomedical Research
		5 Conclusion
		Reference
	Luxembourg
		1 Introduction
		2 The New Data Protection Law in Luxembourg
			2.1 Exceptions and Safeguards for the Processing of Special Categories of Personal Data for Scientific Research Purposes
			2.2 Consent and `Secondary Use´
		3 Conclusion
		Reference
	Malta
		1 Introduction
		2 The Maltese Legal Framework for Data Protection
		3 The Role (and Type) of Consent for Research Activities
		4 Biobanks in Malta: Public Awareness and Dynamic Consent
		5 Conclusion
		References
	Netherlands
		1 Introduction
		2 The Legal Basis of Processing of Personal Data for Research Purposes
		3 Research Exemption
		4 Use/Reuse of Historical Archives of Health Data: Governance Procedures and Policies on the Use and Reuse of Personal Data
		5 Conservation of Tissues and DNA/RNA Obtained from Tissues
		6 Biohacking
		Reference
	Poland
		1 Introduction
		2 The Legal Framework
		3 Rights of Researchers, Donors and Patients in Biobanking
		4 Conclusion
		References
	Portugal
		1 Introduction
		2 GDPR and Portuguese Legal Framework: Exceptions for Scientific Research
		3 Further Processing for Record Purposes in the Public Interest or for Scientific Research
		4 Conditions for Processing Health, Genetic and Biometric Data
		5 The Re-Use of Personal Data
		6 Biobanking in Portugal
		7 Conclusion
	Romania
		1 Introduction
		2 The Legal Framework: Processing of Personal Data for Research Purposes
		3 Policies and Procedures for the Use and Reuse of Personal Data
		4 Tissues and the DNA and RNA Obtained from Tissues: Focus on Conservation
		5 Law on Biohacking Activity
		6 Conclusion
	Slovakia
		1 Introduction
		2 Data Protection and the Research Exception
		3 Biobanking in Slovakia
		4 Conclusion
		References
	Slovenia
		1 Introduction
		2 Human tissue
		3 Processing of Personal Data for Research Purposes
		4 Conclusion
		References
	Spain
		1 Introduction
		2 The Subject´s Consent
		3 Secondary Use
		4 Public Health Interest Research by Public Health Authorities
		5 The Use of Pseudonymised Data
		6 Biobanks: Biological Samples and Health Data in the Spanish Biomedical Research Act
			6.1 Genetic Analysis for Health Purposes and the Processing of Personal Genetic Data
		7 Conclusion
		References
	Sweden
		1 Introduction
		2 The Legal Basis of Processing Personal Data for Research Purposes at the National’Level
		3 The Research Exemption
		4 The Use/Reuse of Historical Archives of Health Data
		5 Procedures and Policies on the Use and Reuse of Personal Data and Tissues
		6 Conclusion
	United Kingdom
		1 Introduction
		2 From Confidence to Dataficationand Data Protection
		3 Data Protection and the Exchange of Data and Biological Samples with the UK: Waiting for Brexit
		4 The European Union Commission Adequacy Decision: Evaluation and Effects
		5 The Data Protection Exemptions for Research Purposes and the Governance of Biobanks in the UK
		6 Conclusion
		References
Part III: Conclusion
	Conclusion
		1 The Point of View of Pathologists
		2 Paradigm Shifts
		3 Garbage in Garbage Out
		4 Pillars for Sustainability of a Biobank
		References