Personal data protection has become a fundamental normative challenge for biobankers and scientists researching human biological samples and associated data. The General Data Protection Regulation (GDPR) harmonises the law on protecting personal data throughout Europe and allows developing codes of conduct for processing personal data based on GDPR art. 40. Codes of conduct are a soft law measure to create protective standards for data processing adapted to the specific area, among others, to biobanking of human biological material. Challenges in this area were noticed by the European Data Protection Supervisor on data protection and Biobanking and BioMolecular Resources Research Infrastructure–European Research Infrastructure Consortium (BBMRI.ERIC). They concern mainly the specification of the definitions of the GDPR and the determination of the appropriate legal basis for data processing, particularly for transferring data to other European countries. Recommendations indicated in the article, which are based on the GDPR, guidelines published by the authority and expert bodies, and our experiences regarding the creation of the Polish code of conduct, should help develop how a code of conduct for processing personal data in biobanks should be developed.