EEA, UK and Switzerland Privacy Notice
Last Updated: October 4, 2023
This EEA, UK and Switzerland Privacy Notice (“Notice”) explains how 23andMe complies with certain privacy rights specifically available to individuals located in the European Economic Area (inclusive of the European Union) (“EEA”), United Kingdom (“UK”), or Switzerland.
To make it simple, we use the same terms as defined in our Privacy Statement and Terms of Service. Any new terms will be defined below. This Notice should be read together with our Privacy Statement, Cookie Policy, and our Terms of Service.
1. Our relationship with you
We are the “controller” of your Personal Information because we determine the means and purposes of processing your information when using our Services.
2. Legal bases for processing Personal Information
The laws of your country require us to rely on certain conditions to process your information. When we process your information, we rely on the following conditions or “legal bases”:
- Your consent
- Legal obligations
- Contracts we entered with you or to take steps at your request prior to entering into a contract with you
- Legitimate interests to protect our property, rights or safety of 23andMe, our customers or others.
3. Privacy Rights
Residents of the EEA, UK, and Switzerland have the right to access, delete, correct, withdraw their consent, and have portability of their information. We believe all our customers should have strong privacy controls, which is why our Privacy Statement outlines how you can access, download, and delete your personal information and you can contact customercare@23andme.com for further assistance. In addition, you have the right to object or restrict the processing of your Personal Information. To exercise such rights, please contact us at privacy@23andMe.com. We will handle your request under applicable law, and, in some cases, your ability to access or control your Personal Information will be limited as required or permitted by applicable law.
4. International Transfers
We are a global business, meaning your Personal Information will likely be transferred to, stored, and processed in the U.S. and other countries outside of where you live. When we conduct such transfers, we rely on various legal bases to lawfully transfer Personal Information around the world, including fulfillment of our agreements with you, your prior consent, adequacy decisions for relevant countries, or other transfer mechanisms as may be available under applicable law, such as the European Union Commission approved standard contractual clauses.
In cases where Personal Information may be transferred to or processed in locations outside of the European Economic Area (EEA), UK, and Switzerland, which have not been determined by the European Commission, UK ICO, or Swiss FDPIC to have an adequate level of data protection, 23andMe takes measures designed to provide the level of data protection required in the EU, UK, or Switzerland including ensuring transfers are governed by the requirements of the Standard Contractual Clauses adopted by the European Commission or another adequate transfer mechanism. 23andMe has entered into transfer agreements based on the Standard Contractual Clauses which allows for the processing and transfer of personal data.
In addition, 23andMe complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. 23andMe has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. 23andMe has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
23andMe is responsible for the processing of Personal Information it receives or subsequently transfers to a third party acting as an agent on its behalf. 23andMe complies with applicable data protection law, including Data Privacy Framework Principles for all onward transfers of Personal Information from the EEA and Switzerland, including the onward transfer liability provisions in the Data Privacy Framework Principles.
With respect to Personal Information received or transferred pursuant to the Data Privacy Framework Principles, 23andMe is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, 23andMe may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In compliance with the EU-US Data Privacy Framework Principles, 23andMe commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles. European Union, Swiss and United Kingdom individuals with DPF inquiries or complaints should first contact:
Privacy Officer
23andMe, Inc.
349 Oyster Point Blvd.,
South San Francisco CA 94080
1.800.239.5230
privacy@23andMe.com
23andMe has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and/or to file a complaint. This service is provided free of charge to you.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2
If you have questions about our Data Privacy Framework certifications, we encourage you to contact us at privacy@23andMe.com.
5. Complaints or Questions
If you have any questions about our privacy practices or believe that we have infringed your rights, we encourage you to contact us directly at:
Privacy Officer
23andMe, Inc.
349 Oyster Point Blvd.,
South San Francisco CA 94080
1.800.239.5230
privacy@23andMe.com
Alternatively, you may contact 23andMe’s EEA, UK and Swiss member representative, DataRep, through https://www.datarep.com/23andme or by sending an email at datarequest@datarep.com. If you are an individual in Switzerland, you can send a message to DataRep at the following postal address: DataRep, Leutschenbachstrasse 95, ZURICH, 8050, Switzerland.
You also have a right to lodge a complaint with a competent supervisory authority situated in the country of your habitual residence, place of work, or place of alleged infringement. You can find the relevant supervisory authority name and contact details for the EEA here, the UK here, and Switzerland here.
Click here to view the older version of this notice.