The General Data Protection Regulation (GDPR) is a new European data protection law which replaces the existing EU data protection regime under Directive 95/46/EC. The GDPR sets out provisions intended to harmonize data protection laws throughout the EU by applying a single data protection law that is binding throughout all member states. The GDPR became effective on 25 May 2018.
23andMe and the GDPR
The GDPR applies to virtually all organisations, including 23andMe, that process the “personal data” of EU residents through services offered to them, regardless of whether the organization is physically based in the EU. The GDPR applies to 23andMe because we market and provide the Personal Genetic Service in EU member states through our UK, EU and our International sites.
For a list of countries we ship to in the EU, click here.
23andMe is a “controller” under the GDPR because we determine how and why personal data is processed.
Key Updates Under the General Data Protection Regulation (GDPR)
Harmonization. The GDPR was designed to harmonize the protection of fundamental rights and freedoms of individuals in EU member states by moving away from 28 different, inconsistent national laws towards common rules on data protection.
Data protection by design and by default. The implementation of data protection principles to protect the rights of the individual when designing a new process or otherwise determining how they wish to process data. By default, using only the information necessary for a specific purpose, also known as data minimization, such that data are not made accessible without the individual's intervention to an indefinite number of natural persons.
Control. More control and greater access to the personal information processed by businesses through strengthened rights.
Data Subject Rights:
The right to be informed - The right to information about the processing of your personal information.
The right of access - The right to obtain access to the personal data being processed. The right to rectification - The right to have personal data that is inaccurate or incomplete corrected.
The right to erasure - Also known as the Right to Be Forgotten, the right to have personal data erased when it is not needed or when processing is not done on a valid, legal basis.
The right to restrict processing - The right to restrict the processing of your personal information in certain cases.
The right to data portability - The right to receive your data in a commonly used, machine readable format and the right to transfer that to another controller.
The right to object - The right to object to the processing of your personal information for direct marketing.
Rights in relation to automated decision making and profiling.
You can learn more about your rights and how 23andMe supports them here
Breach Notification. Requirements regarding reporting personal data breaches to supervisory authorities and notifying affected data subjects about personal data breaches in certain circumstances.
Stronger Enforcement. Dissuasive penalties for companies who do not comply with new EU requirements.