Data protection in biobanks from a practical point of view: what must be taken into account during set-up and operation?

Abstract

The European General Data Protection Regulation (GDPR) incorporates many of the principles of data protection that were already in force in the past. Insofar the data protection requirements for German biobanks have not fundamentally changed since the GDPR became applicable in May 2018. In detail, however, new and relevant requirements have been added. Due to many derogation clauses that allow national deviations, federal and state laws must also be taken into account in Germany, depending on the legal form of the biobank or the supporting institution, which increases the complexity in individual cases. Research-oriented biobanks can still rely on informed, voluntary and explicit consent from patients or test persons. Other legal bases are also possible in certain cases. The information and transparency requirements have increased with the DSGVO, which has led to higher administrative costs. However, a major problem existed before and continues to exist in clarifying how biobanks deal with the right to know and the right not to know of their subjects, how this is explained in advance and which policy can be implemented in the long term, also in the context of targeted recruitment for later studies. The complexity of the regulatory framework and the resulting demands on biobanks make the development and implementation of standards unavoidable. In addition, it is recommended that such infrastructures be centralised, professionalised and equipped with the necessary resources.