DNA strand transforming into an open book

Your DNA, Your Rights: Unlocking Access to Your Genetic Data

Soraya Malik in Law & Justice August 2025 • 4 min read.

"A guide to navigating GDPR and genetic testing, empowering you to take control of your health information and challenge data monopolies."

Imagine a future where you have complete control over your genetic information, using it to make informed decisions about your health and contribute to scientific advancements. This future hinges on your ability to access and share your genetic data. However, companies like Myriad Genetics have faced legal challenges over restricting patient access to the underlying data generated from their genetic tests.

In the United States, patients have invoked HIPAA to fight for access to their complete genetic profiles. Now, in Europe, the General Data Protection Regulation (GDPR) offers similar rights, potentially revolutionizing how individuals interact with genetic testing companies. This article explores how GDPR rights intersect with genetic testing, focusing on the balance between patient empowerment and the incentives for companies to innovate in genetic diagnostics.

We'll delve into whether GDPR applies to medical records, analyze how GDPR rights play out in clinical genetic testing scenarios, and discuss the limitations of unconditional access to data. We aim to equip you with the knowledge to understand your rights and the complexities involved in accessing your genetic information.

GDPR: Your Key to Unlocking Genetic Data?

DNA strand transforming into an open book

The GDPR grants EU citizens significant control over their personal data, including the right to access, obtain a copy, and transmit their data to third parties. This regulation applies to any organization processing EU personal data, regardless of location. This means genetic testing companies operating within or processing data of EU citizens must comply with GDPR.

However, the application of GDPR to medical records isn't straightforward. While GDPR aims to protect data, healthcare delivery remains a Member State responsibility. Some argue that applying GDPR to medical records could infringe upon the EU Treaty, as Member States have existing doctor-patient confidentiality regimes. The Court of Justice of the EU may ultimately need to clarify this intersection.

Right to Access: You can request confirmation whether a company is processing your genetic data, and if so, access that data and related information.
Right to Portability: You can receive your personal data in a structured, commonly used, and machine-readable format and transmit it to another party.
Data Control: GDPR introduces mechanisms for class actions, allowing multiple data subjects to collectively enforce their rights.

If you're seeking access to your genetic data, understanding who the 'controller' of your data is crucial. Typically, the clinician ordering the test, rather than the testing company, is considered the data controller. The testing company acts as a 'processor,' handling data on behalf of the clinician. Therefore, your access requests should initially be directed to your clinician, who then collaborates with the testing company to fulfill your request.

Navigating the Complexities: Limitations and Considerations

Raw genomic sequencing reads and variant classifications deemed 'clinically insignificant' might be subject to restrictions. Providing this type of information without proper interpretation could be problematic, potentially leading to misinterpretations and anxieties. Furthermore, ethical standards mandate genetic counseling to ensure patients understand the implications of their genetic test results.

Despite these challenges, remember that your genetic data is a valuable asset. By understanding your rights under GDPR and working with your clinicians, you can advocate for greater access to your information and contribute to a future where genetic data empowers individuals and advances scientific knowledge.

About this Article -

This article was crafted using a human-AI hybrid and collaborative approach. AI assisted our team with initial drafting, research insights, identifying key questions, and image generation. Our human editors guided topic selection, defined the angle, structured the content, ensured factual accuracy and relevance, refined the tone, and conducted thorough editing to deliver helpful, high-quality information.See our About page for more information.

This article is based on research published under:

DOI-LINK: 10.1038/s41431-018-0258-4, Alternate LINK

Title: Patients V. Myriad Or The Gdpr Access Right V. The Eu Database Right

Subject: Genetics (clinical)

Journal: European Journal of Human Genetics

Publisher: Springer Science and Business Media LLC

Authors: Jasper A. Bovenberg, Mara Almeida

Published: 2018-09-27

Everything You Need To Know

What rights does the GDPR provide regarding my genetic data?

The General Data Protection Regulation (GDPR) grants individuals in the EU significant control over their personal data. It includes the 'right to access,' allowing you to confirm if a company is processing your genetic data and access that data along with related information. The 'right to portability' enables you to receive your personal data in a structured, machine-readable format and transmit it to another party. Furthermore, GDPR introduces mechanisms for class actions, allowing multiple data subjects to collectively enforce their rights. These rights are crucial for empowering individuals to control and utilize their genetic information.

Why is having access to my genetic data important in the context of GDPR?

Accessing your genetic data under the GDPR is significant because it empowers you to make informed decisions about your health and contribute to scientific advancements. Previously, companies like Myriad Genetics have faced legal challenges over restricting patient access to their genetic data. By exercising your rights under GDPR, you can challenge data monopolies and take control of your health information. This includes using your genetic data for personalized medicine and understanding potential health risks.

Does the GDPR apply to medical records and genetic testing?

The GDPR applies to any organization processing EU personal data, regardless of location, which means that genetic testing companies operating within or processing data of EU citizens must comply. However, the application of GDPR to medical records isn't straightforward. While GDPR aims to protect data, healthcare delivery remains a Member State responsibility. Some argue that applying GDPR to medical records could infringe upon the EU Treaty, as Member States have existing doctor-patient confidentiality regimes. The Court of Justice of the EU may ultimately need to clarify this intersection.

Who is the data controller when accessing my genetic data?

When seeking access to your genetic data, it's essential to understand who the 'controller' of your data is. Typically, the clinician ordering the test, rather than the testing company, is considered the data controller. The testing company acts as a 'processor,' handling data on behalf of the clinician. Therefore, you should initially direct your access requests to your clinician, who then collaborates with the testing company to fulfill your request. This process ensures that data access is managed appropriately and in accordance with GDPR guidelines.

Are there any limitations to accessing my genetic data under GDPR?

While GDPR empowers you to access your genetic data, there are limitations. You may not get unconditional access to all data generated during testing. Medical-professional norms, potential liabilities for testing companies, and the need to protect the database's normal exploitation can restrict the scope of access. This means that while you have rights to your data, there might be circumstances where certain data is not fully accessible due to various legal and ethical considerations.