What is the GDPR?
The General Data Protection Regulation (GDPR) is a data protection law enacted by the European Union which replaces the existing EU data protection regime under Directive 95/46/EC. The GDPR sets out provisions intended to protect individuals’ Personal Information and regulate the processing and sharing of Personal Information. The law also harmonizes data protection laws throughout the EU by applying a single legal framework that is binding and enforceable throughout all EU member states. The GDPR became effective on May 25, 2018.
Does it apply to me?
The GDPR applies to 23andMe customers based in an EU member state who purchased 23andMe Services marketed and sold in that EU member state.
Principles
While the GDPR only applies in the EU, 23andMe provides similar data protection to customers globally. Here’s how we approach data protection at 23andMe:
Transparency
At its core, the GDPR is about enabling individuals to find out what Personal Information businesses hold about them, why they hold it, and whether such information is disclosed or shared with third parties. For details on what data we process, how we process it, and for what purposes we process data, please refer to our Privacy Statement. We updated, added additional information about our practices, and made our Privacy Statement easier to understand.
Security
Another key focus of the GDPR is ensuring data is processed in a secure manner by providing minimum security standards for any business processing Personal Information. As such, we have evaluated all of our processing activities to ensure we are appropriately mitigating risks to personal information by implementing technical and organizational security measures. Activities that process sensitive information, such as Genetic Information, may be innately riskier and therefore require greater security. Read more about 23andMe Security practices.
Control over your Personal Information
We added new tools and functionality to your Account Settings page to further empower you to be in control over your information. More 23andMe data than ever before is downloadable within your account.
How does 23andMe support my rights under the GDPR?
The GDPR applies to the processing of personal data of individuals who are in the European Union, where the processing activities are related to the offering of goods or services to individuals in the Union. You are able to exercise your right to access, objection, correction, and deletion (or erasure) via your Account Settings. If you wish to exercise any other rights under the GDPR that are not available in your Account Settings, feel free to reach out to us at privacy@23andMe.com so we may assist you.
Please be sure to review our Privacy Statement. In the event of any inconsistency between these guides and the 23andMe Privacy Statement and/or Terms of Service, the provision contained in the Privacy Statement and/or Terms of Service shall control.
You can learn more about your rights and how 23andMe supports them here.
Breach Notification. Requirements regarding reporting personal data breaches to supervisory authorities and notifying affected data subjects about personal data breaches in certain circumstances.
Stronger Enforcement. Dissuasive penalties for companies who do not comply with new EU requirements.
Learn more about the 23andMe road to compliance here. For more information about how 23andMe supports your rights under the GDPR, click here.