Data Protection
23andMe is committed to the robust data privacy and security protections enabled by GDPR compliance.

In 2016 the European Commission approved and adopted the General Data Protection Regulation (GDPR), a new framework for European data protection law. The GDPR is effective as of May 25, 2018 and applies to companies who process personal data of individuals in the EU. The GDPR strengthens the rights these individuals have regarding personal data relating to them, and seeks to unify data protection laws across Europe, regardless of where data is processed.

What is the GDPR?

The GDPR is a new European data protection law which replaces the existing EU data protection regime under Directive 95/46/EC. The GDPR sets out provisions intended to harmonize data protection laws throughout the EU by applying a single data protection law that is binding throughout all Member States. The GDPR is effective as of May 25, 2018.

Does the GDPR apply to 23andMe?

The GDPR applies to virtually all organisations, including 23andMe, that process the personal data of EU residents through services offered to them, regardless of whether the organization is physically based in the EU. The GDPR applies to 23andMe because we market and provide the Personal Genetic Service in EU Member States through our UK, EU and International sites. For a list of countries we ship to in the EU, click here.

Your 23andMe Data

23andMe is committed to GDPR compliance through our robust data privacy and security protections. This page, our full privacy statement, terms of service, research consent document, sample storage consent document and frequently asked questions all provide information meant to help you understand our practices. If you have questions, please contact us at privacy@23andMe.com.

Step One
1. When, how, and why your data is processed.

23andMe is committed to being transparent about the kinds of information we collect, the reasons we collect it, and how it is used.

For a full overview of 23andMe's processing activities, please review our privacy statement. To change your cookie settings, please visit our cookie policy.

23andMe generally processes personal data for the following purposes:

  • Complete kit purchase(s).
  • Create an account and register a kit(s) to that account.
  • Market and advertise our products and promotions.
  • Perform website maintenance, usage, and analytics, as well as network and infrastructure security.

We generally process sensitive personal information, including genetic information, and other personal information in order to:

  • Process your sample at our contracted lab.
  • Compute and populate your reports.
  • Maintain and develop your account's tools, features, and functionality.
  • Participate in 23andMe Research.
  • Assist you through our Customer Care channel.
Step Two
2. Accessing, downloading, and deleting your data.

At its core, the GDPR is about enabling individuals to find out what personal data we hold about them, why we hold it, and who we disclose it to.

As a 23andMe customer, you can access and download your data from within your account. Specifically, you can:

  • Access and download your 23andMe reports, genetic data, self-reported survey data, and other personal data at any time within your account.
  • Request a copy of your personal data processed by 23andMe's third party service providers. We work with these third party service providers to provide, analyze, and improve our Service.
  • Learn more about accessing and downloading your personal data here.

You can delete your 23andMe account and data from within your account settings at any time. Once you submit and confirm your request, we will delete your data. Data deletion is permanent and cannot be canceled, undone, withdrawn, or reversed. Learn more about deleting your personal data here.

23andMe customers in the EU have additional rights under the GDPR, including the right to object to the processing of their personal data, restrict the processing of their personal data, and to rectify inaccurate or incomplete personal data. Learn more about these rights here.
Step Three
3. Managing our third party service providers.

23andMe directly conducts the majority of data processing activities required to provide our Ancestry and Health + Ancestry Services to you. However, we do engage some third party service providers to assist in supporting these Services, including in the following areas:

  • Our genotyping lab, LabCorp
  • Customer Care
  • Cloud storage
  • Marketing and analytics
  • IT and Security

Our rigorous selection process ensures each third party service provider complies with the GDPR and can deliver the appropriate level of security and data protection. Please review our Privacy Statement for more information about our third party service providers.

Step Four
4. Safeguarding your data.

Under the GDPR, organizations that collect and store personal data must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with processing personal data. 23andMe uses industry-leading organizational and technical measures to keep personal data secure. Learn more.

Step Five
5. International data transfers.

To comply with European legal requirements around international data transfer mechanisms, we self-certify under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield. These frameworks were developed to establish a way for companies to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.

Want to learn more? Review our FAQ's on data protection or submit an inquiry to Customer Care.

Two easy ways to discover you.

£79 £
Ancestry
Service
Get a breakdown of your global ancestry, connect with DNA relatives and more.
£149 £
Health +
Ancestry Service
Receive 90+ online reports on your ancestry, traits and health - and more.
shop now