EEA, UK and Switzerland Privacy Notice
Last Updated: October 4, 2023
This EEA, UK and Switzerland Privacy Notice (“Notice”) explains how 23andMe complies with certain privacy rights specifically available to individuals located in the European Economic Area (inclusive of the European Union) (“EEA”), United Kingdom (“UK”), or Switzerland.
1. Our relationship with you
We are the “controller” of your Personal Information because we determine the means and purposes of processing your information when using our Services.
2. Legal bases for processing Personal Information
The laws of your country require us to rely on certain conditions to process your information. When we process your information, we rely on the following conditions or “legal bases”:
- Your consent
- Legal obligations
- Contracts we entered with you or to take steps at your request prior to entering into a contract with you
- Legitimate interests to protect our property, rights or safety of 23andMe, our customers or others.
3. Privacy Rights
Residents of the EEA, UK, and Switzerland have the right to access, delete, correct, withdraw their consent, and have portability of their information. We believe all our customers should have strong privacy controls, which is why our Privacy Statement outlines how you can access, download, and delete your personal information and you can contact email@example.com for further assistance. In addition, you have the right to object or restrict the processing of your Personal Information. To exercise such rights, please contact us at privacy@23andMe.com. We will handle your request under applicable law, and, in some cases, your ability to access or control your Personal Information will be limited as required or permitted by applicable law.
4. International Transfers
We are a global business, meaning your Personal Information will likely be transferred to, stored, and processed in the U.S. and other countries outside of where you live. When we conduct such transfers, we rely on various legal bases to lawfully transfer Personal Information around the world, including fulfillment of our agreements with you, your prior consent, adequacy decisions for relevant countries, or other transfer mechanisms as may be available under applicable law, such as the European Union Commission approved standard contractual clauses.
In cases where Personal Information may be transferred to or processed in locations outside of the European Economic Area (EEA), UK, and Switzerland, which have not been determined by the European Commission, UK ICO, or Swiss FDPIC to have an adequate level of data protection, 23andMe takes measures designed to provide the level of data protection required in the EU, UK, or Switzerland including ensuring transfers are governed by the requirements of the Standard Contractual Clauses adopted by the European Commission or another adequate transfer mechanism. 23andMe has entered into transfer agreements based on the Standard Contractual Clauses which allows for the processing and transfer of personal data.
23andMe is responsible for the processing of Personal Information it receives or subsequently transfers to a third party acting as an agent on its behalf. 23andMe complies with applicable data protection law, including Data Privacy Framework Principles for all onward transfers of Personal Information from the EEA and Switzerland, including the onward transfer liability provisions in the Data Privacy Framework Principles.
With respect to Personal Information received or transferred pursuant to the Data Privacy Framework Principles, 23andMe is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, 23andMe may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In compliance with the EU-US Data Privacy Framework Principles, 23andMe commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles. European Union, Swiss and United Kingdom individuals with DPF inquiries or complaints should first contact:
349 Oyster Point Blvd.,
South San Francisco CA 94080
23andMe has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and/or to file a complaint. This service is provided free of charge to you.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2
If you have questions about our Data Privacy Framework certifications, we encourage you to contact us at privacy@23andMe.com.
5. Complaints or Questions
If you have any questions about our privacy practices or believe that we have infringed your rights, we encourage you to contact us directly at:
349 Oyster Point Blvd.,
South San Francisco CA 94080
Alternatively, you may contact 23andMe’s EEA, UK and Swiss member representative, DataRep, through https://www.datarep.com/23andme or by sending an email at firstname.lastname@example.org. If you are an individual in Switzerland, you can send a message to DataRep at the following postal address: DataRep, Leutschenbachstrasse 95, ZURICH, 8050, Switzerland.
You also have a right to lodge a complaint with a competent supervisory authority situated in the country of your habitual residence, place of work, or place of alleged infringement. You can find the relevant supervisory authority name and contact details for the EEA here, the UK here, and Switzerland here.
Click here to view the older version of this notice.