Find your ancestors using DNA – what does GDPR say?

JUDr. Ondřej Preuss, Ph.D.
11. June 2019
5 minutes of reading
5 minutes of reading
Other legal issues

Since May last year, there has been a lot of talk about the protection of personal data such as names, birth numbers, faces, etc. But what about such human DNA?

Vědkyně u mikroskopu s pipetou

DNA is a means of obtaining so-called genetic data about an individual. These are very important from a GDPR perspective because they allow us to obtain information about an individual that is otherwise impossible to obtain, in particular about a person’s physiology and health.

Even before the GDPR was adopted, DNA was also identified as a particularly sensitive source of personal data by the European Court of Human Rights when it ruled in 2008 on UK legislation that allowed DNA samples to be retained from people who had been arrested but subsequently acquitted of a crime.

Therefore, genetic data is included in the GDPR in a special category of personal data, which is also referred to as sensitive personal data (health, sexual orientation, religion, etc., among others, are similarly included). These have a stricter processing regime – as a rule, their processing is completely prohibited; the GDPR only provides for a few exceptions, including where the individual gives explicit consent to the processing of such genetic data for specified purposes.

Services that trace your ancestors using DNA

As a large number of services are emerging that will use your DNA to find your ancestors, this also raises a lot of questions about data protection. If someone chooses to have their DNA analysed, they need to be aware that they are providing a stranger with virtually the most sensitive data that exists about them; there will always be some risks associated with this. For example, MyHeritage, which is a foreign DNA testing and kinship and ethnicity company. Here, for example, it is somewhat problematic that it is a foreign entity that sends samples to the US but at the same time does not have sufficient support in the country where it offers its services, for example. In the case of MyHeritage, its previous approach to data protection is also problematic; for example, last year it experienced a massive leak of personal data. In another similar service, for example, an agreement whereby a large pharmaceutical company gained access to some data provided by clients caused controversy. It is therefore also important to use any such service with an awareness of the risks that may arise.

What about sending DNA samples to countries outside the EU?

Are you solving a similar problem?

Solutions Tailored for You

Our team of experienced attorneys will help you solve any legal issue. Within 24 hours we’ll evaluate your situation and suggest a step-by-step solution, including all costs. The price for this proposal is only CZK 690, and this is refunded to you when you order service from us.

I Need help

  • When you order, you know what you will get and how much it will cost.
  • We handle everything online or in person at one of our 5 offices.
  • We handle 8 out of 10 requests within 2 working days.
  • We have specialists for every field of law.

What about sending DNA samples to countries outside the EU?

Under the GDPR, any transfer of personal data to a third country (i.e., a non-EU country) where personal data is transferred for, among other things, further processing, including storage, must be conditional on there being an adequate level of protection of personal data in that country, or on there being sufficient guarantees that the transfer of personal data to that country will not compromise the protection of the individual’s personal data. In this respect, the GDPR also provides for an obligation to inform the individual about such transfer (in particular about the intention to provide personal data to the third country and the level of protection), but it is not always necessary to refer to the specific data protection legislation of the country in question.

With respect to the US, a decision has been issued by the European Commission setting out the conditions under which the level of protection for the processing of personal data by US companies is sufficient to allow such transfers of personal data to take place without the need to provide further detailed safeguards. However, this decision, also known as the ‘Privacy Shield’ decision, is not without controversy; its predecessor, the so-called ‘Safe Harbour’ decision, was overturned by the EU Court of Justice in light of, among other things, the Edward Snowden affair, and the current decision has also already been challenged (albeit unsuccessfully so far) before the EU Court of Justice. Under the Privacy Shield regime, US companies are included in a list of entities that have voluntarily committed to comply with the principles of data protection. If a company is not on this list, personal data can only be transferred if it meets the detailed safeguards required by the GDPR.

For example, when a company states that it will make users’ personal data available to third parties in the event of an acquisition of a company – where all of the company’s assets or shares will be acquired or sold – then personal data will be one of the assets transferred. Is this possible?

It is important to note here that personal data about individuals is not an “asset” of any company; it is not its property, nor does it own that data. The concept of GDPR makes it quite clear that an individual cannot “sell” his or her personal data to any company, he or she only gives consent for that company to process his or her data under certain conditions (from the purposes and methods of processing to, for example, the retention period) – in principle, he or she only “lends” it to the company and can withdraw his or her consent at any time and, for example, request the deletion of personal data already provided.

Therefore, this part of the terms of the contract is also rather insufficient – it is not sufficiently clear what personal data will be disclosed and to whom exactly and under what conditions (e.g. will it be only data such as name and surname or even DNA samples, or will it be disclosed only to those who buy the company, or even to “interested parties” as part of the negotiation process, etc.).

Sdílejte článek


Are you solving a similar problem?

Solutions Tailored for You

Our team of experienced attorneys will help you solve any legal issue. Within 24 hours we’ll evaluate your situation and suggest a step-by-step solution, including all costs. The price for this proposal is only CZK 690, and this is refunded to you when you order service from us.

I Need help

Author of the article

JUDr. Ondřej Preuss, Ph.D.

Ondřej is the attorney who came up with the idea of providing legal services online. He's been earning his living through legal services for more than 10 years. He especially likes to help clients who may have given up hope in solving their legal issues at work, for example with real estate transfers or copyright licenses.

Education
  • Law, Ph.D, Pf UK in Prague
  • Law, L’université Nancy-II, Nancy
  • Law, Master’s degree (Mgr.), Pf UK in Prague
  • International Territorial Studies (Bc.), FSV UK in Prague

You could also be interested in

We can also solve your legal problem

In person and online. Just choose the appropriate service or opt for an independent consultation when you are unsure.

Google reviews
4.9
Facebook reviews
5.0
5 200+ people follow our Facebook
140+ people follow our X account (Twitter)
140+ people follow our LinkedIn
 
We can discuss your problem online and in person

You can find us in 4 regional towns

Quick contacts

+420 775 420 436
(Mo–Fri: 8–18)
We regularly comment on events and news for the media