Research Biobanks and External Researchers Under the European General Data Protection Regulation: Between Controller-Processor Relationship and Joint Controllership

Abstract

The growing involvement of biobanks in international collaborative research creates invaluable opportunities but raises critical ethical and legal issues, e.g. on the use and sharing of health and genetic data. The appropriate governance of biobanks is key to ensuring research integrity and public trust in the methods and findings of the research. A crucial part of this requires identifying who is the controller, joint controller, or processor of personal data under the European General Data Protection Regulation (GDPR). These qualifications determine who is liable for compliance with different data protection provisions and how data subjects can implement their rights. This chapter maps the issues related to the GDPR qualifications of biobanks and external researchers. In particular, it outlines whether and under what conditions biobanks and external researchers are in a controller-processor relationship or joint controllers and the respective operational implications for biobanks. Finally, it provides some general practical advice to research biobanks.