← Back to Blog DATA PRIVACY

Your Genome Under GDPR: Why EU Data Protection Is the Gold Standard for Genetic Information

March 2026 7 min read

Your genome is the most personal data you possess. It is immutable, uniquely identifying, and inherently familial — it reveals information not just about you, but about your biological relatives. Unlike a password or even a fingerprint, genomic data cannot be changed if compromised. The legal framework governing how this data is collected, processed, and protected matters more than for any other category of personal information.

What makes genetic data different

From a data protection perspective, genetic data has several properties that distinguish it from other types of personal data:

  • Permanence: Your genome does not change. A data breach involving genomic data creates a permanent exposure — there is no equivalent of resetting a password.
  • Identifiability: Genomic data is inherently identifying. Even partial genome data can be used to re-identify individuals, as demonstrated by multiple forensic genealogy cases.
  • Heritability: Your genetic data reveals information about your biological parents, siblings, and children. A breach does not affect only the individual — it affects the entire biological family.
  • Predictive power: Genetic data can predict future health conditions, creating potential for discrimination in insurance, employment, and other domains if improperly accessed.

These properties mean that genetic data requires the highest tier of legal protection — not just corporate policy, but enforceable law with real consequences for violations.

How GDPR classifies genetic data

The General Data Protection Regulation (GDPR), which took effect in May 2018, classifies genetic data as "special category data" under Article 9. This is the most protected classification in EU law, alongside data about health, racial or ethnic origin, biometrics, and sexual orientation.

Processing special category data is prohibited by default. It is only permitted under a limited set of lawful bases — the most relevant for genomics being explicit consent (Article 9(2)(a)). This is a higher standard than the "legitimate interest" or "contractual necessity" bases that apply to ordinary personal data.

In practical terms, this means:

  • A genomics company cannot process your genetic data based on a pre-checked checkbox or a buried clause in terms of service. Consent must be freely given, specific, informed, and unambiguous.
  • Consent can be withdrawn at any time (Article 7(3)), and the data controller must then stop processing and, upon request, delete the data.
  • Data can only be used for the specific purposes consented to. Any new purpose requires fresh consent.

The rights GDPR gives you over your genome

Under GDPR, individuals have a comprehensive set of rights over their personal data. For genetic data, the most relevant are:

  • Right of access (Art. 15): You can request a complete copy of all genetic data held about you, along with information about how it is being processed and who it has been shared with.
  • Right to erasure (Art. 17): You can request permanent deletion of your genetic data. The data controller must comply within 30 days.
  • Right to data portability (Art. 20): You can request your data in a structured, machine-readable format and transfer it to another provider.
  • Right to restriction of processing (Art. 18): You can request that processing be paused while a dispute or objection is resolved.
  • Right to object (Art. 21): You can object to specific types of processing, including profiling.

These are not voluntary courtesies. They are legally enforceable rights backed by supervisory authorities with the power to issue fines of up to 4% of global annual revenue or €20 million.

GDPR vs. US genetic data protection

The United States does not have a federal equivalent to GDPR for genetic data. The existing legal landscape is fragmented:

  • GINA (2008): Prevents genetic discrimination by health insurers and employers, but does not cover life insurance, long-term care insurance, or disability insurance. It says nothing about data processing, storage, or breach obligations.
  • HIPAA: Applies only to covered entities (healthcare providers, insurers) and their business associates. Consumer genomics companies that sell directly to consumers are typically not covered entities.
  • State laws: A patchwork. Illinois, California, and a few other states have enacted genetic privacy laws, but most states have no specific genetic data protection statute.

The result is that a US-based genomics company's privacy policy is, in most cases, a voluntary commitment — not a legal obligation. If the company changes ownership, goes bankrupt, or simply decides to update its terms, the policy can change. There is no federal regulator specifically tasked with enforcing genetic data protections.

Why jurisdiction — not just policy — matters

The critical insight is that GDPR protections are jurisdictional. They apply to data processed within the EU, regardless of the nationality of the data subject or the country of incorporation of the company that collected it. If your genome is sequenced and analyzed in an EU-based laboratory, GDPR governs the entire data lifecycle — from sample receipt to data deletion.

This means that even if you are a US resident, your genetic data processed in the EU receives GDPR protection. This is not an opt-in feature. It is an automatic consequence of where the processing occurs.

Dante Labs' partner laboratory is located in Italy — an EU member state. Every genome sequenced by Dante is processed under GDPR jurisdiction. Your data cannot be sold, transferred to a third party, or used for a purpose you did not explicitly consent to — and this is backed by EU law, not a corporate promise.

What this means in practice

For someone considering a whole genome sequencing test, the question of data protection should be as important as the question of test accuracy. The data you are generating is the most personal information that exists — and the legal framework governing it determines what can and cannot happen to that data, not just today, but for the rest of your life.

GDPR is not a certification you earn and display. It is the law of the land where your data is processed. And for genetic data — which is permanent, identifying, familial, and predictive — it represents the strongest protection framework available anywhere in the world.

Read our full Privacy & Data Governance page →

Get new posts from Dante Labs

Genomics insights, product updates, and clinical perspectives — delivered to your inbox.

One test. A lifetime of answers.

One kit, sent to your home. Your entire genome sequenced at the clinical standard used for diagnostic decisions. 200+ physician-ready reports delivered to your Genome Manager in 6–8 weeks — permanent and updated as science advances.

Free global shipping
Ships within 48 hours
Results in 6–8 weeks
Get my Genome Test

Ships within 48 hours · Results in 6–8 weeks

Dante Labs Genome Test Kit