Ana Nordberg

Biobanks are essential infrastructures in current health and biomedical research. Advanced scientific research increasingly relies on processing and correlating large amounts of genetic, clinical and behavioural data. These data are particularly sensitive in nature and the risk for privacy invasion and misuse is high. The EU General Data Protection Regulation (GDPR) developed and increased harmonization, resulting in a framework defining specific duties and obligations of entities processing personal data – controllers and processors. Biobanks, in the exercise of their functions assume the role of controllers and/or processors and as such need to comply with a number of complex rules. This chapter analyses these rules, in light of Article 89 GDPR, which creates safeguards and derrogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. It identifies key compliance challenges faced by biobanks as data controllers and processors, such as determining whether the GDPR is applicable and its intersection with other regulations; when should a biobank be considered controller and processor; what are the main duties of biobanks as data controllers and processors and options for compliance.