GDPR and Your Genetic Data: What Every European Should Know

Your DNA is the most personal data you will ever possess. Unlike a password, you cannot change it. Unlike a credit card number, it cannot be reissued. And unlike almost every other category of personal information, your genetic data does not belong to you alone -- it reveals sensitive information about your parents, your children, and your siblings, whether or not they ever consented to a test.

The European Union recognized this exceptional sensitivity when it drafted the General Data Protection Regulation. Genetic data receives the highest level of legal protection available under EU law. Yet millions of Europeans have already handed their raw DNA files to companies headquartered outside Europe, governed by foreign legal frameworks, and -- as recent events have demonstrated -- vulnerable to catastrophic breaches and corporate collapse.

This article explains what GDPR actually says about genetic data, what rights you hold as a data subject, what went wrong at 23andMe, and what to look for when choosing a genetic analysis service in 2026.

Genetic Data as "Special Category" Under GDPR Article 9

GDPR Article 9(1) establishes a general prohibition on the processing of certain categories of personal data deemed exceptionally sensitive. Genetic data is explicitly listed alongside biometric data, health data, racial or ethnic origin, political opinions, and religious beliefs.

The regulation defines genetic data in Article 4(13) as "personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained."

In practical terms, this definition covers a broad range of data types:

• Raw genotyping files (the data files you download from services like 23andMe or AncestryDNA, typically containing hundreds of thousands to millions of SNP variants)
• Whole genome or whole exome sequencing data
• Derived health risk assessments (such as carrier status reports, polygenic risk scores, or pharmacogenomic profiles)
• Ancestry and ethnicity estimates, because they reveal information about racial or ethnic origin
• Relative-matching results, which expose genetic relationships between individuals

Processing any of this data is prohibited unless one of the specific exceptions in Article 9(2) applies. The most common lawful basis for consumer genetic services is explicit consent -- and that consent must meet a high bar. It must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not qualify. Bundled consent (where you must agree to research use to access your health reports) is legally questionable under GDPR.

Your Rights as a Data Subject

GDPR grants every person in the European Economic Area a robust set of rights over their personal data, including genetic data. These rights are not optional features that a company may choose to offer. They are legal obligations.

Right of Access (Article 15)

You have the right to obtain confirmation of whether a company processes your genetic data and, if so, to receive a copy of that data in a commonly used electronic format. This includes your raw genotype files, any derived reports, and information about who the data has been shared with.

Right to Rectification (Article 16)

If any personal data held about you is inaccurate, you have the right to have it corrected. While the raw SNP calls from a genotyping chip are what they are, associated metadata -- your name, contact details, self-reported health information, or ethnicity labels -- can and must be corrected upon request.

Right to Erasure (Article 17)

Often called the "right to be forgotten," this provision entitles you to demand the complete deletion of your genetic data. Not deactivation. Not archival. Deletion. When you exercise this right, the data controller must erase your data from all systems, including backups, within a reasonable timeframe -- and must inform any third parties with whom the data was shared to do the same.

This right is particularly critical for genetic data. If a company merely deactivates your account while retaining your genotype on its servers, your DNA remains exposed to future breaches, acquisitions, or changes in corporate policy.

Right to Data Portability (Article 20)

You have the right to receive your genetic data in a structured, commonly used, and machine-readable format, and to transmit it to another controller. This is what allows you to download your raw data from one service and upload it to another for independent analysis.

Right to Restriction of Processing (Article 18)

You can request that a company stop processing your genetic data while a dispute is resolved -- for example, if you have contested the accuracy of derived health reports or withdrawn consent for research use.

The 23andMe Breach and Bankruptcy: A Case Study in Genetic Data Risk

In October 2023, 23andMe disclosed a data breach that ultimately affected approximately 7 million users. The attack vector was credential stuffing -- attackers used username and password combinations leaked from other services to access individual 23andMe accounts. From there, they exploited the DNA Relatives feature, which allows users to discover and connect with genetic matches, to scrape profile and ancestry data from millions of connected users who had never been directly compromised.

The breach exposed names, birth years, ancestry results, and in some cases, health-related information. The data appeared for sale on dark web forums, with specific datasets targeting users of Ashkenazi Jewish and Chinese descent -- a chilling reminder that genetic and ancestry data can be weaponized for ethnic targeting.

What followed was arguably worse. Throughout 2024, 23andMe's financial position deteriorated. The company's board resigned, its stock price collapsed, and it ultimately filed for bankruptcy protection. The prospect of 23andMe's database -- containing the genetic data of over 14 million customers -- being sold as a corporate asset during bankruptcy proceedings alarmed regulators worldwide. The California Attorney General issued an unprecedented public advisory urging 23andMe users to delete their data and request destruction of their biological samples.

For European users, this sequence of events exposed a fundamental problem: even if GDPR grants you strong rights on paper, enforcing those rights against a company undergoing bankruptcy in a foreign jurisdiction is extraordinarily difficult. The lesson is clear. The safest genetic data is data that never leaves European jurisdiction in the first place.

Why Genetic Data Is Uniquely Sensitive

Genetic data is not simply another category of health information. It possesses characteristics that make it fundamentally different from any other type of personal data.

Immutability. You cannot change your genome. If your genetic data is leaked, there is no equivalent of changing your password or issuing a new credit card. The exposure is permanent and irreversible.

Familial impact. Your DNA is shared with your biological relatives. A breach of your genetic data exposes information about your parents, children, and siblings -- people who never consented to any test. Identical twins share 100% of their DNA. First-degree relatives share approximately 50%. Even distant cousins share enough to be identified through techniques like long-range familial searching, the same method used by law enforcement to identify the Golden State Killer.

Predictive power. Genetic data can reveal predispositions to diseases that have not yet manifested. This information has obvious implications for health insurance underwriting, life insurance, and employment decisions. While the EU's Anti-Discrimination Directives and national laws provide some protection, the legal frameworks have not kept pace with the capabilities of modern pharmacogenomic analysis and polygenic risk scoring.

Insurance and employment discrimination. Despite legal prohibitions, the risk of genetic discrimination remains real. In the United States, the Genetic Information Nondiscrimination Act (GINA) does not cover life insurance, disability insurance, or long-term care insurance. European protections are stronger but vary by member state, and enforcement is inconsistent.

Country-Specific Considerations in Europe

GDPR provides the baseline, but several European countries have enacted additional regulations that significantly affect how genetic data can be processed.

France

France maintains some of the strictest genetic testing regulations in Europe. Under the French Civil Code (Article 16-10) and the Bioethics Law, direct-to-consumer (DTC) genetic testing is effectively illegal. Genetic tests may only be ordered by a physician or a court for medical or judicial purposes. Individuals who order DTC tests from foreign companies face a theoretical fine of 3,750 euros, though enforcement against consumers has been rare. Companies offering DTC genetic services to French residents, however, face significant legal exposure.

Germany

Germany's Genetic Diagnosis Act (Gendiagnostikgesetz, GenDG) requires that genetic testing for health purposes be accompanied by genetic counseling from a qualified professional. The law prohibits employers and insurers from requesting or using genetic test results. It also establishes strict requirements for consent and data handling that go beyond GDPR's general provisions.

United Kingdom (Post-Brexit)

Since Brexit, the UK operates under the UK GDPR and the Data Protection Act 2018, which largely mirror EU GDPR. Genetic data retains its "special category" status. However, the UK's evolving data protection framework -- including proposed reforms under the Data Protection and Digital Information Act -- may diverge from EU standards over time. European residents should be cautious about services that process genetic data under UK jurisdiction, as future regulatory alignment is not guaranteed.

What to Look for in a Genetic Analysis Service

If you are considering having your genetic data analyzed -- or if you have already tested with another provider and want to move your raw data to an alternative service -- there are specific criteria you should evaluate before trusting any company with your genome.

EU-based data hosting. Your genetic data should be stored on servers physically located within the European Economic Area, subject to EU jurisdiction. This is the single most important factor. Data hosted in the United States is subject to US law, including potential government access under FISA Section 702 and Executive Order 12333. The invalidation of the EU-US Privacy Shield by the Court of Justice of the European Union in Schrems II confirmed that US surveillance law is fundamentally incompatible with EU privacy rights.

Encryption at rest and in transit. Look for AES-256 encryption for stored data and TLS 1.3 for data in transit. Encryption at rest means that even if servers are physically compromised, the raw data remains unreadable without the encryption keys.

True deletion, not deactivation. When you request erasure, the service should permanently delete your genetic data from all systems, including backups and disaster recovery copies. Ask specifically whether the company distinguishes between account deactivation and data deletion. Many services make it easy to deactivate and difficult to truly delete.

No third-party data sharing. Your genetic data should never be sold, licensed, or shared with third parties -- not with pharmaceutical companies, not with research institutions, not with advertising networks. Read the privacy policy carefully and look for unambiguous language, not vague assurances.

Designated Data Protection Officer. Under GDPR Article 37, organizations that process special category data on a large scale must appoint a Data Protection Officer. The DPO's contact information should be publicly available, and they should be responsive to inquiries.

Transparency about processing purposes. The service should clearly specify what it does with your data, for how long, and on what legal basis. Purpose limitation (Article 5(1)(b)) means your data cannot be repurposed without fresh consent.

How DeepDNA Addresses GDPR Requirements

DeepDNA was designed from the ground up for European genetic data privacy. Every architectural decision reflects the principle that genetic data deserves the highest available standard of protection.

EU-only infrastructure. All genetic data processing and storage occurs on servers hosted by Hetzner in Germany. Your data never leaves the European Union. There are no US-based subprocessors, no transatlantic data transfers, and no reliance on adequacy decisions that could be invalidated by future court rulings.

AES-256 encryption at rest. All genetic data stored on DeepDNA's servers is encrypted using AES-256, the same encryption standard used by governments and military organizations for classified information. Encryption keys are managed separately from the encrypted data.

True deletion. When you request erasure of your data, DeepDNA performs a complete deletion -- not a soft delete, not an archival flag. Your raw files, derived reports, and all associated metadata are permanently removed from all systems. We provide written confirmation of deletion upon request.

No data selling, ever. DeepDNA does not sell, license, or share your genetic data with any third party. Our business model is based on providing analysis services to you, not monetizing your genome behind your back.

Data minimization. In accordance with Article 5(1)(c), DeepDNA processes only the genetic data necessary to generate the reports you request. We do not retain data beyond the period necessary for service delivery unless you explicitly choose otherwise.

Practical Steps to Protect Your Genetic Data Today

Regardless of which service you use, there are concrete actions you can take right now to better protect your genetic privacy.

1. Audit your existing accounts. If you have tested with 23andMe, AncestryDNA, or any other provider, log in and review your privacy settings. Opt out of research programs. Disable relative-matching features if you do not actively use them. These features expand your attack surface.

2. Download your raw data. Exercise your right to data portability. Download your raw genotype files and store them securely on an encrypted local drive. This ensures you retain access to your data regardless of what happens to the company. Our raw data guide walks you through this process step by step.

3. Request deletion from services you no longer use. Do not simply abandon old accounts. Explicitly request data erasure under Article 17. Document your request and the company's response. Under GDPR, the controller must respond within one month.

4. Use strong, unique credentials. The 23andMe breach was enabled by credential stuffing. Use a unique, randomly generated password for every genetic testing service, and enable two-factor authentication wherever available.

5. Choose EU-based services for future analysis. If you want to analyze your raw data for health insights, pharmacogenomic interactions, or ancestry, choose a service that processes data exclusively within the EU. Evaluate providers against the criteria outlined above.

6. Read the privacy policy. Not the summary. The actual policy. Look for specific commitments on data hosting location, encryption standards, third-party sharing, and deletion procedures. Vague language like "we take your privacy seriously" without concrete technical and legal commitments is a red flag.

7. Consider the familial implications. Before sharing your genetic data with any service, remember that you are also sharing information about your biological relatives. Discuss genetic testing with close family members, particularly if you plan to use relative-matching features.

Conclusion

GDPR gives European residents the strongest genetic data protections in the world. But rights on paper are only as strong as the infrastructure and policies that implement them. The 23andMe breach and subsequent bankruptcy demonstrated that even the largest consumer genetics company can fail to protect the data entrusted to it -- and that corporate collapse can turn your genome into a liquidation asset.

The question is not whether your genetic data deserves the highest standard of protection. The law already answers that. The question is whether the service you choose actually delivers it. Demand EU-based hosting. Demand real encryption. Demand true deletion. Demand that your genome is treated with the gravity it deserves.

Your DNA is not a data point. It is the most intimate record of who you are. Protect it accordingly.