Menu Chiudi

GDPR Requirements for Biobanking Activities Across Europe

Perugia, Congress – May 25-26, 2022

The conference “GDPR Requirements for Biobanking Activities Across Europe” will be a wonderful opportunity to meet online and in-person colleagues and other academics in the historic city of Perugia for the first time in many months to discuss topics related to main legal challenges in the management of Biobanks.

This year the University of Perugia and the National Research Council (Institute IFAC)  with the collaboration of ESBB will be offering the conference as a two-day in-person event. We will also be running a virtual event to enable those who cannot travel to Perugia to participate and present their work.

Pre-registration is mandatory since it grants you free admission to
“GDPR Requirements for Biobanking Activities Across Europe”.
There will be two separate registrations – reservations for the virtual event will give you access to the virtual conference if you are an ESBB member for two days.
In-Person reservation will give you access to both the in-person and virtual events (please write an email to:

Angelantoni Life Science S.r.l is a partner of the Conference.

The organisers expect all conference participants to adhere to local covid guidance at the time of the event.

About the conference “GDPR Requirements for Biobanking Activities Across Europe”

“The increasing number of research biobanks and the importance of their role in supporting medical and biological research have resulted in Action aims for the development and sharing of biobanking best practices and benchmarking standards which guarantee the fundamental rights of the donors/patients and increase trust in the system while not unnecessarily aggravating biomedical research. The creation and management of Biobank collections cause several ethical and juridical issues and may provoke societal concerns. The need to manage these resources efficiently and within strict legal boundaries is paramount given the genetic and protein information which is generated and which is linked to other genetic, genomic and proteomic databases or other types of databases, such as clinical records.

The main legal challenges in the management of Biobanks are to find ways of protecting the interests of individuals while at the same time making essential information available for medical research.
The Conference try to answer the burning questions on data protection regarding biobanks and to understand the effective operation of the rules related to biomedical research paying attention to the activities of the national legislatures of the 27 Member States in the field of scientific research, because of the EU multilevel system has an impact on biobanking activity”.


What are the Requirements for Data Exchange with the UK because of ‘Brexit Effect’

Prof. Hedley Christ – Univerity of Brighton

On the 31st January 2020 the United Kingdom (UK) left the European Union (EU).  However, for the remaining part of 2020 the UK was, in effect, still a Member State, albeit in reduced capacity, until the transition period for exiting from the EU had been completed by 31st December 2020.  This transition period was to be occupied by the negotiation process; that is, the UK was to agree, with the EU, the means of disentanglement from the EU and determine its future relationship with the EU.  Part of this negotiation was to include the nature of digital services and, in particular, cross-border data flows of information.  The treaty settlement however does not include digital services or how data transfer can occur between the UK and the EU now that the UK is a third country.   The UK’s withdrawal agreement makes no explicit provisions for the UK’s continued participation with the European Data Protection Board.

Within Section 2 Withdrawal Act 2018 the UK retains EU Law until repealed.  However, EU Law is no longer part of the laws of the United Kingdom.  This means that although the GDPR is still relevant, the UK is considered a third country as far as cross-border data flow is concerned.  This means that data flow can no longer be automatic and, therefore, other means, provided by the GDPR or International Law, must now be considered.  The most likely mechanism for the lawful transfer of data will be the Standard Contractual Clauses which may be approved by a competent Supervisory Authority.  However, these will need to comply with the GDPR.

Beyond the Standard Contractual Clauses is the possibility that The Commission could provide an Adequacy Decision for the UK.  However, there seems, as yet, no real possibility of this occurring in the near future.  Data Controllers, therefore, will have to find other means of securing lawful data transfer.  One such approach may be the use of Binding Corporate Rules (BCRs), pursuant to Articles 46(2) and 47 GDPR, which are legally binding internal rules adopted by multinational groups of undertakings.  BCRs allow data transfer to entities located in third countries irrespective of whether the country can provide for adequate levels of data protection.  Beyond these are Codes of Conduct pursuant to Articles 40, 41, 42, & 43 GDPR.  These Codes of Conduct have to be approved and enforceable.

These, and other mechanisms will need to be sought by the UK in order for lawful data transfer.