EU Law

Contract on genetic testing. Is it really worth it?

 I’ve already written about legal traps of genetic ancestry testing. Now it’s time to get more  specific, I’ll take a look at a contract for genetic testing which is to be executed between  you and a company that provides such services. Is it really worth it? I don’t think so, but you make your own decision.

contract on genetic testing is it worth it?






To begin with, let’s make sure if you are  fully aware of what data a company that shall test your DNA  to discover who were your ancestors will collect from you and process. Besides your DNA sample, of course. First of all, such a company will know at least:

1) Your name,

2) Year of your birth,

3) In which country you currently live,

4) Your e-mail address,

5) Your credit card or bank account number depending on how you pay for the DNA test,

6)  IP address of your computer,

7) The company will learn what operating system you use on your computer,

8) If you use a mobile device to log in to your account created for you by a company then  they will  also find out what operating system you use on it,

9) Which company is your internet provider,

That’s a lot of a very personal knowledge about you. Data, “ordinary” personal data but also super sensitive personal data – a sample of your DNA. It is worth choosing wisely, who you entrust such knowledge to and what can be done with it. And here I get back to a concrete example. Take a closer look at the contract on genetic testing of so much recommended by Spidersweb

Of course, the first contact with their website is pleasant. The company explains beautifully how simple it all is. You pay and they’ll send you a DNA kit. Then you send back the sample, and they’ll test it. The results, i. e. the genetic profile of your ancestors, can be collected only by you after logging into your account created at Ancestry. com

Ordering the service is easy, although it can be done only in English.  At the very bottom of the order form you will find two inconspicuous links to the documents titled “Terms and Conditions” and “Privacy Statement“. By placing and paying for your order you have of course entered into  a contract on genetic testing with .  The most important thing is that the Terms and Conditions and the Privacy Statement are part of your contract with  the company. Therefore it is a very good reason to have a closer look at both documents, don’t you think?





perils of genetic testing













Both documents have 39 pages in total and of course they are available only in English.  Naturally, it is not a plain, simple English   but its far more complex version soaking with legal jargon.

Besides, when you read  it, you’ll find out that both documents contain links to other documents (also in English, of course).  On top of that, the wording of “Terms and Conditions” (T&C) as well as  “Privacy Statement” (PS) is often very ambiguous  – at least from my perspective.

However it is precisely T&C that states  the terms of service delivered to you by While PS is a document describing what rights you have with respect to the data you provide to the company and how the company protects your privacy.

 In general, it reminds me a lot of  Oracle’s strategy on  licensing when renewing Java. I’ve written about this strategy and  the perils of Oracle’s audits in my post on Java licensing and preparation to Oracle’s audits. It looks very similar to me here, only in a better package.





processing data













This “better package” is not due to the goodwill of the company but rather to EU regulations.

 I have already written about the basic requirements of the EU General Personal Data Protection Regulation (GDPR), which also applies to non-EU companies such as Ancestry.

Unfortunately, if you  are based outside of European Union then  GDPR will not protect  you. You must rely fully on T&C and PS content unless there are any legal regulations in your country which guarantee an additional protection of your  personal data.





genetic data protection














Of course Ancestry is aware of  GDPR , so even though they are a US company, they still ensure in T&S and PS that they fully comply with GDPR  and EU consumer protection regulations.

In accordance with Article 27 of  GDPR, Ancestry has also appointed its legal representative in the EU and this is their company registered in Ireland.

However, the Data Collector of your personal data, in a sense of GDPR ,  is still a company from US and it is them who ensure your data is  protected and processed in accordance with  GDPR.

Of course you know that your genetic data is a  very specific type of personal data which requires higher standards of protection in light of GDPR.  Ancestry is to make sure of that but you won’t know the details.  However  you will learn from T&C and PS  that the company will not necessarily test  your genetic profile alone. They will use laboratories other subcontractors and collaborators to do this and to deliver the service they were contracted for.

It is true that one reads in T&C and PS that the security of data processing will be ensured at the highest level at all times. But let’s be honest. You need to take this declaration for granted with no tangible evidence.

The reality  is that until the security of Ancestry’s personal data processing is checked by an external audit and/or inspection, it will be difficult to tell whether this  protection is sufficient.

And now the question is to what extent would such an inspection by a Data Protection Authority from any  EU country  be actually effective?

Remember that officials would have to control a company based outside of  EU. According to GDPR, it is possible, but what would it like in practice and what real effect the possible fine  would have on  the company ?

Good question, isn’t  it?







Your faith in  security of your personal data must be strong hence the DNA sample you sent to the company will  never return to you.  The question of how this fits within GDPR provisions and the right to be forgotten is left open. In addition, please note that the Company can assign its rights and obligations under T&S (including those relating to the protection of your personal data, genetic data) to anyone, even without your permission. So you have absolutely no control over who gets full access to your personal data after such an assignment.



















If you read in T&C, you will find that by paying for the service of creating your genetic profile you have agreed this contract is  interpreted in accordance with Irish laws. As long as you’re a client based outside of the United States. And it is only the Irish courts that will settle any disputes under the contract. This is not the best of news if you are not Irish. The cost of legal service and will be considerable, not to mention that you probably have  no idea about Irish law or civil court procedure.






Ancestry testing can be tricky












In my opinion, absolutely not. At least not under these or similar conditions. The risk is too high in relation to potential profits. You’ll learn the genetic profile of your ancestors and find out where you come from but in the meantime, you’ll serve someone your full genetic profile  and other personal data on a silver platter.

And all this without any real control over how your data will be protected and who will actually have access to it.

Think about it.

Regards, Prawstoria

Powiązane artykuły

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button