1 Introduction

The biobank landscape in Greece mainly consists of tissue and data collections created in the course of clinical practice whose samples are subsequently repurposed for research. Given that there is no specific Greek biobank law, these collections have been so far governed through provisions drawn from the domestic civil and constitutional legal armamentarium concerning (biomedical) research as well as soft and hard EU and international laws. These provisions combined aim at safeguarding research participants’ rights, primarily their privacy and autonomy, and the public interest. Whilst preserving such protective measures, the Greek law transposing GDPR into national legislation alongside the expected creation of a national population biobank have the potential to facilitate biobank research in Greece.

2 Biobank Infrastructure and Regulatory Environment

2.1 Biobank Infrastructure: The Greek Reality

In the Greek legislative corpus, there is neither a definition nor any reference to the term biobank. According to the definition offered by the Organization for Economic Co-operation and Development (OECD), biobanks are ‘structured resources that can be used for the purpose of genetic research and which include: (i) human biological materials and/or information generated from the analysis of the same; and (ii) extensive associated information’.Footnote 1 In the same vein, it has been argued that the definition of a biobank should clearly state its research purpose,Footnote 2 whereas matters such as the size of sample collections or the richness of data should be of secondary importance.Footnote 3 The hereinafter analysis takes into consideration these definitional requirements by the OECD and Shaw et al. Hence, collections of samples and, more broadly, data which have been created in the course of clinical routine (clinical biobanks), without a specific research purpose or with the objective of applying these tissue samples on humans, will fall outside its material scope.

Issues regarding retrospective research arise commonly in Greece when human samples originating from clinical biobanks are reused for research activities without the patients having been informed at the time of their tissue collection about the possibility of their samples being used for future research. So far, retrospective research was lawfully conducted even without patients’ informed consent as long as three authorising decisions were in place: one from the competent Research Ethics Committee (REC) examining ethical and deontological concerns arising from the study and two from the Hellenic Data Protection Authority (hereafter HDPA or DPA) addressed to both the data controller/legal entity and the researcher acting as data controller.Footnote 4 Upon the GDPR coming into effect and the subsequent absence of DPA authorisations, the role of RECs in securing lawful retrospective research is enhanced.

Overall, biobank researchers in Greece encounter practical difficulties, which prevent them from establishing and administering biobanks. Firstly, to obtain the patient’s informed consent, a researcher needs to collaborate both with the clinician, which is hindered by the lack of preoperative reflexes in clinical practice, and the patient, which occurs rarely given the lack of awareness about biobanking research among the general public in Greece. Secondly, all peripheral laboratories need to be informed of the required processing, which is in practice difficult, because all laboratories would need to apply a single processing protocol. Thirdly, record-keeping is not sufficiently thorough in hospitals, resulting in incomplete historical data of patients’ clinical course, including long-term monitoring.

The latter is further thwarted by the fact that patients often change their preferred doctors and/or medical practices, while at the same time there is no central record-keeping or guidance by the National Health System. Lastly, pseudonymisation and tissue registration presuppose bioinformatics support by qualified staff. The unavailability of research funding renders this requirement one of the main hindrances to biomedical research in general and consequently complicates biobanking (inter)operability and sustainability. In this regard, initiatives such as the Greek Infrastructure for Personalised Medicine enhance collaboration among researchers, the interoperability of future biobanking activities, and the lawful conduct of retrospective research in Greece.

A considerable, yet not officially registered in its entirety, number of research biobanks is found in hospitals, medical universities and research institutions across Greece.Footnote 5 Specifically, outside Athens and Thessaloniki, the two major Greek cities, these are developed and maintained exclusively at University Medical Schools. Most research biobanks in Greece comprise biological material which is or could be used in the analysis (e.g. cardiovascular, many types of cancer, metabolic, respiratory, hereditary, neurodegenerative, infectious). They are originally developed during clinical practice as clinical biobanks, storing heterogeneous biological samples. At the time of collection, these samples are destined for clinical/diagnostic activities, but they are afterwards repurposed usually through the route of a broad consent to any research purpose granted by the patient. In some cases, research biobanks include samples from groups of the general population, meaning healthy individuals whose data serve as control samples. Existing tissue collections, research biobanks amongst them, fall under the supervision of the Ministry of Health, the Ministry of Education, Research and Religious Affairs and, specifically, its General Secretariat for Research and Technology.Footnote 6

The largest tissue collection whose samples are mainly intended for diagnostic services but might be used for research purposes is the First Department of Pathology which belongs to the Medical School of the National and Kapodistrian University of Athens established in 1850. It is the oldest laboratory of pathological anatomy in Greece, serving also research and educational needs. The total number of examinations conducted by the laboratory amounts to 30,000 cases per year, the majority of which involves patients with malignant diseases. The samples are stored in the laboratory’s premises in paraffin blocks with corresponding documented diagnoses from the ‘Laiko’ Hospital as well as from thirty other hospitals across Greece.Footnote 7 The patients’ consent to the use of their tissues for research is given at the time of the tissue collection and is then archived. During the last decade, the department has been actively involved in a European brain tissue bank network BrainNet Europe ll (Network of European Brain and Tissue Banks for Clinical and Basic Neuroscience) project funded by the European Commission’s 6th Framework Program for Research.

The Laboratory of Medical Genetics of the University of Athens (Horemeio), also providing diagnostic services mainly, is based at the Children’s Hospital ‘Agia Sofia’. Due to its long experience, it is a reference centre for issues related to the diagnosis, treatment and prevention of genetic diseases across Greece. It holds an important tissue collection on genetic diseases, storing DNA samples for research purposes with an informed consent procedure since 2010. Similarly to the Laboratory of Medical Genetics, the Report Centre for Thalassemia offers diagnostic examinations for thalassemia and, at the time of collection, it obtains individuals’ consent to the use of their tissue for research, provided that their data are anonymised.

Furthermore, the Hellenic Cooperative Oncology Group (HeCOG) runs from 1990 its own tissue collection, with 14,000 formalin-fixed paraffin-embedded blocks, all fully annotated with clinical data from patients treated in network centers, accompanied with consent forms for research purposes. There is a HeCOG molecular oncology laboratory in Thessaloniki, with a second smaller laboratory in Athens.Footnote 8 The National Retrovirus Reference Centre (NRRC) based in the Athens University Medical School (Athens) has an active biobank of 370,000 saved samples (plasma, serum, biopsies, DNA, dry specimens), including samples preserved in liquid nitrogen, from 1991. The NRRC specializes in virology research on human pathogenic micro-organisms (AIDS, Hepatitis B and C, other viral infections) as well as cancers of viral origin.Footnote 9

A research biobank outside clinical practice, set up through the European Prospective Investigation into Cancer (EPIC) study in 1994 and currently held in the premises of the Hellenic Health Foundation (Athens), contains samples from 28,572 adults from all over Greece, representing a broad range of sociodemographic traits.Footnote 10 Data collection for this biobank was accomplished with participants’ informed consent by means of two questionnaires during a baseline examination in which the following information was recorded: medical and reproductive history, sociodemographic and lifestyle factors, and habitual diet. Anthropometric data and blood pressure were measured, while blood samples were also collected.Footnote 11

From 1998, the National Centre for Scientific Research ‘Demokritos’ operates the Molecular Diagnostics Biobank on inherited types of cancer with approximately 15,000 germline DNA samples accompanied with pedigrees describing the family history of the disease (e.g. genes BRCA1, BRCA2, TP53, PALB2).Footnote 12 As from 2009, the Laboratory of Molecular Oncology in collaboration with HeCOG, the Hellenic Collaborative Oncology Group and Aristotle University of Thessaloniki operates a biobank, which includes biological material from more than 15,000 patients who participated in clinical trials and have provided their informed consent to the use of the biological material for research purposes.Footnote 13

Since 2007, the University of Ioannina hosts the Cancer Biobank, with samples from 600 patients with hematologic neoplasia and an unregistered number of patients with solid organ neoplasia.Footnote 14 Research participants have signed an informed consent form, which, thanks to the creation of a GDPR compliance office on site, is being reviewed to become more nuanced, tiered and fully compliant with the requirements of the GDPR. Data collection was specific to each research project but generally focused on the disease, its status, and DNA and RNA extraction data. Another important biobank is that of Idiopathic Intermediate Pulmonary Diseases (IOP) and for Idiopathic Pulmonary Fibrosis. This biobank collects clinical and epidemiological data and biological material (blood, plasma, biopsy etc.).Footnote 15

The Biomedical Research Foundation of the Academy of Athens (BRFAA) is the Central Node of the BBMRI-GR network from 2008, which is officially a member of the Pan-European Biomedical Infrastructure Consortium (BBMRI-ERIC).Footnote 16 Within BRFAA operates the Hellenic Biobank for Parkinson’s Disease on patients with Parkison’s Disease (PD).Footnote 17 It contains 708 samples of PD patients and 351 of control samples, which are all numbered and allocated pseudonomysided codes corresponding to clinical information such as demographics, history of exposure to environmental influences, clinical history, and relevant clinical scales. All information, including informed consent forms, is both stored in hard copy and uploaded to the database of the biobank. BRFAA also has also a normal population samples biobank (placental connective tissue) collected for research purposes. The Hellenic Cord Blood Bank operates within the Center of Clinical, Experimental Surgery & Translational Research in BRFAA and also obtains informed consent from the parents for further research use of their children’s stored biospecimens. BRFAA, along with the Fleming Institution, is also part of the Greek Research Infrastructure for Precision Medicine (pMedGR). This infrastrusture is coordinated by the University of Athens and ‘aims to bring together intersectoral partners’, such as Biotechnology SMEs, diagnostics developers, biomedical and clinical researchers and policy makers, in order to advance precision medicine in Greece. It could prove to be of obvious support to biobanking activities in Greece, as it has stated that it ‘will determine strategies and implement best practices for collecting, cataloguing, and storing samples and specimens (fresh, frozen or FFPE samples)’.Footnote 18

Since 2013, samples (including serum, plasma and DNA) are obtained from patients attending the ‘Out-Patient Clinic for the Prevention and Treatment of Overweight and Obesity in Childhood and Adolescence’, in the ‘Aghia Sophia’ Children’s Hospital (Athens). This research biobank functions within the ‘National Program for the Prevention and Treatment of Overweight and Obesity in Childhood and Adolescence’, and approximately 3000 children and adolescents have been followed-up at the Out-Patient Clinic. All data and samples are being provided with the participants’ explicit and written informed consent and the approval of the local REC. Another biobank is that of the Institute of Applied Biosciences (INAB) of the Centre for Research and Technology Hellas (CERTH), which is affiliated with the Hematology Department and the HCT Unit of the ‘G. Papanicolaou’ Hospital in Thessaloniki. It has a collection of 60,000 samples coming from different types of biospecimens on 24 hematologic malignancies.Footnote 19

Finally, a national BBMRI.GR network of existing tissue collections among different institutions, which shall be based in the Biomedical Research Foundation of the Academy of Athens (BRFAA), has been established. Once set in operation, this biobank will comply with the quality standards of the EU infrastructure BBMRI-ERIC. This nationwide endeavour will initiate a new era of biomedical research in Greece, during which large-scale and high-quality biological samples of patients and healthy individuals will be gathered for analysis employing not only latest technologies, such as Next Generation Sequencing (NGS), but also suitable for integrated analyses that will include the full range of omics technologies, which is necessary to make new treatments possible in the context of Precision medicine.Footnote 20 Furthermore, the country’s contribution to the BBMRI-ERIC infrastructure and its concomitant compliance with the BBMRI ERIC Code of conduct aim to create a network of Greek biobanks and connect them with the infrastructure in order to expedite Greece’s integration into the European Research Area (ERA) regulations.Footnote 21

2.2 Regulatory Framework

Within the Greek legal context, general rules on (biomedical) research are applicable to biobank research as a more specific type thereof. Provisions governing research participants’ personal data and autonomy derive from the following soft and hard legal instruments:

  1. i.

    Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) of the Council of Europe;

  2. ii.

    Convention for the Protection of Human Rights and Dignity of the Human Being with regard to the Application of Biology and Medicine: Convention on Human Rights and Biomedicine of the Council of Europe (Oviedo Convention);

  3. iii.

    Law 2619/1998 ratifying the Oviedo Convention;

  4. iv.

    Law 3418/2005 (Code of Medical Ethics/Deontology) and specifically Article 24 (2) d, requiring that the research project is approved by the competent administrative authority, following a consenting opinion of the competent Scientific Council of the hospital and/or the Ethics Committee;Footnote 22

  5. v.

    Regulation EU No 536/2014 on clinical trials of medicinal products for human use;

  6. vi.

    Ministerial Decision DYG 3/89292/2003 implementing Directive 2001/20/EC on the approximation of the laws, regulations and administrative provisions of the Member States relating to the implementation of good clinical practice in the conduct of clinical trials on medicinal products for human use;

  7. vii.

    Law 4386/2016 on Regulations for Research and other provisions, regulating administrative aspects of research.

  8. viii.

    Law 4624/2019, Personal Data Protection Authority, implementing measures for Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and their integration into national law legislation of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 and other provisions.

  9. ix.

    Additional regulations including sample quality, standard operational procedures, ISO certifications such as ISO/IEC 17025 and Good Laboratory Practice Regulations.Footnote 23

The only relevant piece of law wherein collections of tissues are referred to in a systematic way, in terms of structure and operability, is the Presidential Decree 26/2008, which implements the Directive 2004/23/EC of the European Parliament and of the Council in the Greek legislation. This Decree sets quality and safety standards for the donation, procurement, testing, processing, preservation, storage, disposal of dangerous substances, and distribution of human tissues and cells. In general, this Decree does not apply to research biobanks, since it refers exclusively to the application of tissues and cells on humans.Footnote 24 However, it applies to both public and private biobanks which store stem cells for transplantation, in which case the Hellenic Transplant Organization (HTO/EOM) as well as sperm and IVF biobanks are responsible for authorization.

Researchers acting within a biobank are, furthermore, subject to obligations of professional secrecy,Footnote 25 securing in this way participants’ privacy. When collected within the practice of medical care/services, personal information concerning health is subject to medical confidentiality. This confidentiality can be lifted with the subject’s consent. In addition, medical confidentiality along with sanctions for its violation are enshrined in the Greek Penal Code (Article 371). In practice, researchers who do not abide by obligations of medical confidentiality are still subject to confidentiality by a bilateral legal act with the controller, such as a Non-Disclosure or Confidential Disclosure Agreement (NDA/CDA).Footnote 26

On the research participants’ side, their privacy is further safeguarded by the application of relevant GDPR provisions related to the protection of genetic and health data. Already before the GDPR, health-related data used in biomedical research and formed as part of a file were protected as sensitive data under Law 2472/1992 (Act on the Protection of Individuals with regard to the Processing of Personal Data), which had implemented the Directive 95/46/EC (Data Protection Directive) in Greece. This law (Article 7 (1)) prohibited the processing of sensitive data, health and genetic ones among them, and allowed it only under specific exceptions (Article 7 (2)), with consent being one of the legal bases for lawful processing.

3 Individual Rights and Safeguards

Biobank participants have access to multi-level protection of their rights in Greece. First of all, in the realm of private law, the Greek Civil Code establishes the right to personality (Article 57), a more specific aspect of which is–according to the dominant scholarly view–the subjects’ right to monitor and allow the use of their health data (informational self-determination). Concurrently, a web of constitutional provisions directly applicable to biobank research guarantees individuals’ privacy and autonomy at a higher level.Footnote 27

Additionally, the autonomy of biobanks’ participants is protected by Law 4521/2018, which in Chapter 5 establishes Research Ethics and Deontology Committees (REDCs) in all universities and research institutions. Funded research projects involving studies on humans or on samples deriving from humans, such as genetic material, cells, tissues and personal data, need prior authorisation from the institution’s REDC before launching. REDCs examine whether research projects respect humans’ inherent value as well as participants’ autonomy, private life and personal data. Regarding the latter, though, it remains unclear how data protection issues could be reviewed by REDCs, given that, on the one hand, their boards often do not include a data protection expert and that, on the other, their pre-GDPR responsibility was to verify whether controllers had obtained the required authorisation from the Hellenic Data Protection Authority. In any case, this provision should not be interpreted as indicative of a legislative will to have the duties of DPAs replaced by REDCs in research, as the former remain solely responsible for assessing data protection violations.Footnote 28

More recently, GDPR and the Law 4624/2019 or ‘Law on the Protection of Personal Data’, hereinafter the ‘Greek law’, containing a total of 42 Articles which transpose derogations and points left to the national legislator’s discretion into Greek legislation, apply directly as foreseen to the protection of participants’ privacy. One of the most significant changes brought about by them is the abrogation of the HDPA authorisation. Specifically, before GDPR came into force in Greece, the HDPA provided a ‘double authorisation’ for the collection and processing of personal data: one to the controller who owned the data and one to the researchers who requested those data for the purpose of scientific research in case the data where not in their ownership, rendering therefore the latter controllers of the data.Footnote 29

GDPR and the provisions included in Article 30 of the Greek law apply to the processing of personal data for scientific or historical research purposes or for the collection and maintenance of statistical data. Research is not further defined in the Greek law, but following GDPR it is mentioned in its scientific and historical type. The objective of a European Research Area is not mentioned or implied either, as cross-border processing is examined only with regards to crime-related data. Furthermore, pursuant to Article 9(4) GDPR, a further limitation on the processing of genetic data is identified under Article 23 of the Greek law, strictly prohibiting the processing of genetic data for health and life insurance purposes. It is however worth noting that the national legislator chose not to prohibit the processing of genetic data which have been generated in the course of predictive genetic tests.

Of extreme importance to participants’ right to privacy in biobanking is the above mentioned breakthrough provision which refers to the data controller’s ‘interest’ that must be carefully examined on a case-by-case basis when it comes to data processing for research purposes.Footnote 30 More specifically, the Greek law specifies that ‘… processing of specific categories of personal data … is permitted without the consent of the data subject, when the processing is necessary for the purposes of scientific or historical research or for the collection and maintenance of statistics, and the interest of the data controller is superior to the data subject’s interest not process its personal data. The controller shall be required to take appropriate and specific measures to protect the data subject’s legitimate interests. These may include in particular: (a) restrictions on data access by data controllers and processors; (b) pseudonymization of personal data; (c) encryption of personal data (d) appointments of a DPO.’ Through this provision, for the first time the Greek legislator allows researchers to process the personal information of research participants, without the latter’s consent or the HDPA’s authorisation. This is definetely a positive step for biobanking research, where until now the model of informed written consent was rigorously followed and was thereby impeding research activities.Footnote 31

However, the above provision should be interpreted as the ‘exception’ from seeking the participant’s informed consent for research purposes and not the rule which should remain the controller’s obligation to seek the subject’s informed consent to the processing of their data, especially in the cases of prospective research studies. Otherwise, this provision risks to be wrongfully used as a ‘carte blanche’ enabling researchers to override individuals’ autonomy by using their data without a priori informing them for the intended data processing. Therefore, examining on a case-by-case basis if the researcher’s interest is in fact harmed or not is crucial to the right interpretation of this provision. Furthermore, the researcher’s obligation to seek the research participant’s informed consent to data processing should not be conflated with the obligation to request the participant’s consent to take part in the research study per se. Consequently, the researcher’s responsibility to guarantee that all information relevant to the research study, including information about personal data processing, has been provided to the participant remains part of the established obligation provide study participants with all the necessary information about each research protocol.Footnote 32

The Greek law postulatesFootnote 33 that processing of special categories of data is permitted, among other reasons, for the purpose of ‘preventive medicine’. Assuming that the technological progress taking place in biobanking research will be soon conducive to direct health benefits for the general population and given the fact that biobanks are already described as ‘the driving force of technological development and preventive medicine’,Footnote 34 it is not excluded that the aforementioned provision may in the near future be directly applicable to biobanks. This would mean that biobanks would have become an indispensable part of the healthcare system, serving also the purposes of preventive medicine.Footnote 35

Therefore, personal data processing in the case of biobanking research would be lawful, without the data subject’s informed consent, under the condition that additional (compared to the provision for research process) specific measures and safeguards are in place, including mainly the following: ‘a) technical and organizational measures to ensure that the treatment is in conformity with GDPR; (b) measures to ensure that ex-post verification can be carried out and the determination of whether and by whom personal data has been entered, modified or removed; (c) measures to increase awareness of the staff involved in the personal data processing; (d) restrictions on access by data controllers and processors; (e) the pseudonymization of personal data; (f) encryption of personal data; (g) measures to ensure the capacity, confidentiality, integrity, availability and durability of processing systems and services related to the processing of personal data, including the ability to quickly restore availability and access in the event of a physical or technical incident; (h) procedures for regularly testing, evaluating and evaluating the effectiveness of technical and organizational measures to ensure the safety of processing; (i) specific rules to ensure compliance with this Act and the ISG in the event of transmission or processing for other purposes; (j) DPO appointment’. It is, therefore, clear that the above two provisions (Article 30 and Article 22 respectively) contravene the Greek legal tradition in processing health and genetic data, which relied upon the informed written consent, and foster a new model for conducting research without the individual’s consent, as long as the data controller’s interest supersedes that of the subject.Footnote 36 In support of biobanking research is also the fact that the Greek law postulates no further specification or addition regarding storage limitation; therefore, in the case of research, only the relevant provisions of Article 5(1)(e) GDPR apply.

As seen above, pursuant to Article 89(1) GDPR, the Article 30 of the Greek law enumerates several safeguards, which data controllers are required to enact for the data processing to be in accordance with individuals’ rights and freedoms. Contrary to the previous data protection regime, and following the GDPR, the current law introduces into Greek legislation the concept of pseudonymisation. More specifically, further introduces the concept of data encryption as a technical means strengthening data protection, without however defining the term. Although anonymisation is not defined in the law, it is mentioned in Article 30(3), where it is stated that the data controller must anonymise the data as soon as the scientific or statistical purposes permit so, unless this is contrary to the data subject’s legitimate interest. In addition, the Greek legislator provides that, until anonymisation takes place, features that can be used to correlate details of personal or actual situations of an identified or identifiable individual must be stored separately. Furthermore, these features can be combined with individual details only if required by the research or statistical purpose, adding in this way further safeguards for the data subject’s protection.Footnote 37

When it comes to publishing the results of scientific research, the Greek law requires compiance with specific conditions for the publication or disclosure of personal data. In particular, personal data processed in the context of research can be published by the data controller, provided that either the concerned data subjects have given their relevant explicit and written consent or the publication is absolutely necessary to present the results of historical research; in this later case, all personal data are pseudonymised.Footnote 38

Furthermore, the Greek law allows for overriding, inter alia, the data subject’s right to access, rectify, restrict and object to the processing (Article 15, 16, 18 and 21 GDPR). More specifically, it grants such an exception in so far as, on the one hand, exercising these rights may render impossible or seriously impair the purposes of scientific or historical research and, on the other hand, restricting these rights is necessary to achieve the aforementioned purposes. For the same reason, the right of access (Article 15 GDPR) does not apply where personal data are necessary for scientific purposes and providing information to the data subject requires disproportionate effort. The right to data portability (Article 20 GDPR) may apply to at least some of the data stored in the biobanks, namely the data provided by the data subjects themselves under consent, if any. What should be considered as such data, though, is not entirely clear.Footnote 39 Lastly, there is no specification or addition in the Greek law providing particular research exemptions to the right to erasure (‘right to be forgotten’); therefore, the GDPR provision applies as it stands.

4 Law in Context: Individual Rights and Public Interest

The ultimate objective of a biobank is to serve the public interest by improving public health. Yet, this objective might be in contrast to the need to guarantee individual rights such as the ones examined in the previous part. Traces of this tension between individual rights and public interest in the domain of research are found in the Greek Constitution and particularly in its Article 16, which establishes the right to research and endows it with both a status negativus, in the sense of a state obligation not to interfere with research, and a status positivus, in the sense of a state obligation to assist researchers in their work.

In addressing conflicts between this constitutional right to research/science and the likewise constitutionally protected individual rights examined above, the principle of proportionality becomes key. A more straightforward scenario is when the scientific research contravenes the public interest or fundamental rights of third parties. In such cases, according to the principle of lawfulness, which was already in force through the former data protection law, processing personal data is forbidden.

There are no specifications regarding the private or public character of research in the Greek law. However, the law allows access to special categories of personal data that are held for archiving purposes in the public ‘interest under the condition that relevant safeguards for the protection of data subjects are in place. However, the fact that the mere appeal to public interest is deemed sufficient to grant access to health and genetic data, e.g. within the context of registries, significantly weakens individuals’ position and might prove to be problematic.’

Finally, since the authorisation procedure by the Hellenic Data Protection Authority is abrogated, possible risks to public interest should be taken into consideration by the controller within the framework of a Data Protection Impact Assessment (DPIA). This is why, especially in the context of biobanking, DPIAs should be seen as a dynamic process that needs to be constantly updated based on relevant technical developments. Of great importance is the role of the biobank’s Data Protection Officer (DPO), who is by law responsible for informing and advising the controller (biobank as a legal entity) and the employees (researchers) on their obligations pursuant to GDPR; monitoring their compliance with the Regulation; advising on the development of the DPIA and monitoring its performance; cooperating with the DPA and acting as the contact point for issues related to processing, including the prior consultation of Article 36 GDPR.

All in all, the regulatory as well as empirical research landscape in Greece is for the first time slightly distancing itself from the model of informed consent, under the condition that specific technical means and safeguards are in place. We are still however far from witnessing a ‘communitarian turn’ from models of informed consent to consent based on the values of trust, solidarity, reciprocity, citizenry, or even moral obligation towards fellow human beings and the greater social benefit.Footnote 40 Moreover, it is remarkable that neither the Greek constitution nor the Greek law or the GDPR are preoccupied with group-level threats to privacy and autonomy. Adopting a strictly individualistic lens in data protection implies that entire social groups might be stigmatised and disadvantaged because of their genetic dispositions or that the particularities of vulnerable social groups such as minors or incompetent persons might be disregarded.

Such concerns become even more imperative in the context of biobank research, whose process and outcomes are primarily group- and population-based. Contrariwise, these are issues which could be addressed through targeted legal instruments, as is indicatively the case with the Estonian Human Genes Research Act, which includes provisions on genetic discrimination, or the Swedish Biobanks in Medical Care Act, which contains specific rules on samples from newborns.Footnote 41 What is more, a suggested collective consideration of data protection is not necessarily at odds with greater individual autonomy. Instead, by indicatively adopting a Kantian perception of autonomy, the welfare of others could serve as a guiding principle in reaching personal autonomy.Footnote 42

Hence, it remains to be seen in practice how the national DPA will respond to such societal and ideological specificities and strike a balance between individual and group/public interests. Alternatively, the absence of legal provisions related to crucial biobank-related issues, including discrimination based on health and genetic data processing, the treatment of specific social groups, data ownership, benefit sharing and consent withdrawal, risks deriving from the commercialization of biobanks and/or their findings, incidental findings and disclosure of research results, could set forth the case for a tailored, unified biobank law in Greece.

5 GDPR Impact and Future Possibilities for Biobanking

GDPR brought significant changes to the data protection framework in Greece, and its overall impact can be deemed as further enabling biobanking activities. By implicitly establishing research as the legal basis for data processing, it addresses one of the main impediments of retrospective research and satisfies one of the most enduring demands of the Greek scientific community. Similarly, by eliminating the need for prior authorisation from the HDPA, it simplifies the research process. Before the GDPR, the double HDPA authorisation was required for all kinds of data processing, even data transfer, which means that now researchers have been relieved from a substantial bureaucratic burden. Yet, this does not come at the expense of individuals’ protection, as they are equipped with measures and safeguards such as encryption, pseudonymisation of their data and the DPO appointment, which come as a guarantee of their rights.

Moreover, the fact that all Member States must comply with the same minimum level of protective safeguards demanded by the GDPR, notwithstanding any national deviations, will make it easier for Greece to participate in cross-border consortia and biobank research projects. Last but not least, the GDPR has brought some necessary terminological clarity by introducing the newly brought in data protection legislation term of ‘pseudonymisation’ as oposed to anonymisation. Also, by promoting the former in lieu of the—widely rejected among Greek researchers–anonymisation it allows for information-heavy and thereby safer scientific outcomes, thus rendering biobank research more effective. Hopefully, the advent of the GDPR in tandem with the expected national population biobank will gear the public opinion towards a positive reception of biobank research.

6 Conclusions

The brief overview provided in this chapter is by no means intended to be exhaustive; rather, it aspires to have provided a first documentation of the empirical and regulatory landscape of biobanks in Greece. Absent an ad hoc law, biobanks in Greece have been so far governed through an assemblage of laws regulating biomedical research and data protection, which includes constitutional and civil law provisions protecting, on the one hand, the freedom of research and, on the other, individuals’ privacy. When it comes to participants’ data protection rights, the Greek Law makes use of Article 89 GDPR, as derogations for specific subject rights for scientific research have been proposed and it allows the processing of personal data without the subject’s prior consent, when specific safeguards are implemented. However, as analysed above, numerous existing practical difficulties have prevented researchers from establishing biobanks. It is, therefore, anticipated by the research community that the national population biobank network, once established, will bring to the forefront discussions for the articulation of a specific legal framework for biobanking. By supplementing or specifying the current data protection regime in Greece, such framework would significantly contribute to legal certainty in the realm of biobanking research. As a result, it could enable the processing of an extensive amount of samples and data stored in biobanks for research purposes, ultimately benefiting the Greek society as a whole.