EEA, UK and Switzerland Privacy Notice
This EEA, UK and Switzerland Privacy Notice (“Notice”) explains how 23andMe complies with certain privacy rights specifically available to individuals located in the European Economic Area (inclusive of the European Union) (“EEA”), United Kingdom (“UK”), or Switzerland.
1. Our relationship with you
We are the “controller” of your Personal Information because we determine the means and purposes of processing your information when using our Services.
2. Legal bases for processing Personal Information
The laws of your country require us to rely on certain conditions to process your information. When we process your information, we rely on the following conditions or “legal bases”:
- Your consent
- Legal obligations
- Contracts we entered with you or to take steps at your request prior to entering into a contract with you
- Legitimate interests to protect our property, rights or safety of 23andMe, our customers or others.
3. Privacy Rights
Residents of the EEA, UK, and Switzerland have the right to access, delete, correct, withdraw their consent, and have portability of their information. We believe all our customers should have strong privacy controls, which is why our Privacy Statement outlines how you can access, download, and delete your personal information and you can contact firstname.lastname@example.org for further assistance. In addition, you have the right to object or restrict the processing of your Personal Information. To exercise such rights, please contact us at privacy@23andMe.com. We will handle your request under applicable law, and, in some cases, your ability to access or control your Personal Information will be limited as required or permitted by applicable law.
4. International Transfers
We are a global business, meaning your Personal Information will likely be transferred to, stored, and processed in the U.S. and other countries outside of where you live. When we conduct such transfers, we rely on various legal bases to lawfully transfer Personal Information around the world, including fulfillment of our agreements with you, your prior consent, adequacy decisions for relevant countries, or other transfer mechanisms as may be available under applicable law, such as the European Union Commission approved standard contractual clauses.
In cases where Personal Information may be transferred to or processed in locations outside of the European Economic Area (EEA), UK, and Switzerland, which have not been determined by the European Commission, UK ICO, or Swiss FDPIC to have an adequate level of data protection, 23andMe takes measures designed to provide the level of data protection required in the EU, UK, or Switzerland including ensuring transfers are governed by the requirements of the Standard Contractual Clauses adopted by the European Commission or another adequate transfer mechanism. 23andMe has entered into transfer agreements based on the Standard Contractual Clauses which allows for the processing and transfer of personal data.
In addition we continue to participate in and have certified its compliance with both the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the EU, EEA, and Switzerland to the United States, respectively. 23andMe remains committed to applying the Privacy Shield Framework's applicable Principles to Personal Information received from the EU, EEA, and Switzerland. If there is any conflict between the terms in this Notice and applicable Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit the U.S. Department of Commerce's Privacy Shield List. As of July 16, 2020, we no longer rely on the EU-U.S. Privacy Shield to transfer data that originated in the EEA or the UK to the U.S.
23andMe is responsible for the processing of Personal Information it receives or subsequently transfers to a third party acting as an agent on its behalf. 23andMe complies with applicable data protection law, including Privacy Shield Principles for all onward transfers of Personal Information from the EEA and Switzerland, including the onward transfer liability provisions in the Privacy Shield Principles.
With respect to Personal Information received or transferred pursuant to the Privacy Shield Frameworks, 23andMe is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, 23andMe may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
23andMe's commitment to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks entitle you to lodge a complaint via our Privacy Shield independent dispute resolution mechanism. To send your privacy complaints under the Privacy Shield Principles, please contact the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and/or to file a complaint.
As a last resort and under limited circumstances, if you have residual privacy complaints, you may invoke a binding arbitration option before the Privacy Shield Panel.
If you have questions about our Privacy Shield certification, we encourage you to contact us privacy@23andMe.com.
5. Complaints or Questions
If you believe that we have infringed your rights, we encourage you to contact us so that we can try to address your concerns or dispute informally. Our contact information is:
349 Oyster Pt. Blvd,
South San Francisco CA 94080
Alternatively, you may contact 23andMe's EU member representative, DataRep, at https://www.datarep.com/23andme
You also have a right to lodge a complaint with a competent supervisory authority situated in the country of your habitual residence, place of work, or place of alleged infringement. You can find the relevant supervisory authority name and contact details for the EEA here, the UK here, and Switzerland here.