​​Introduction to GDPR in predictive medicine



This article is the first of a series of articles that I will be publishing on the predictive medicine blog related to the General Data Protection Regulation (RGPD) in the field of predictive medicine, especially in relation to genetics.


The GDPR (Regulation (EU) 2016/679) was approved on April 27, 2016 and as indicated in article 99 (the last one), its entry into force is May 25, 2018, that is, more than one year.


People who are registered on many platforms and services will have noticed the different way in which these platforms and services communicate with you and how currently all platforms that collect automatic data and use “cookies” must notify and inform you about the use of the same.


There are several rights that a user can exercise with respect to their personal data in the scope of the GDPR:

  • Right of access of the interested party.
  • Right of rectification.
  • Right of deletion.
  • Right to limitation of treatment.
  • Right to data portability.
  • Right of opposition.


All of these rights have their limitations and exceptions. As an example, I will talk about the Right of access, where a user can request a copy of their data for free, but a “reasonable fee” may be charged for the remaining copies. Here is article 15.3:


“The controller will provide a copy of the personal data being processed. The person in charge may receive a reasonable fee based on administrative costs for any other copy requested by the interested party. When the interested party submits the request by electronic means, and unless he requests that it be provided in another way, the information will be provided in a commonly used electronic format.


And what does this regulation refer to genetics?


The first reference to genetics is given in recital 34, where it says:


“Genetic data shall be understood as the personal data related to genetic characteristics, inherited or acquired, of a natural person, derived from the analysis of a biological sample of the natural person in question, in particular through a chromosome analysis, an analysis of acid deoxyribonucleic acid (DNA) or ribonucleic acid (RNA), or the analysis of any other element that allows obtaining equivalent information.”


Genetic data is considered special category data, its treatment being prohibited, according to article 9.1. In order to process this data there are a number of exceptions that are indicated in article 9.2:


the data subject gave his explicit consent to the processing of such personal data for one or more of the specified purposes, except when Union or Member State law provides that the prohibition referred to in paragraph 1 cannot be lifted by the data subject ;

The treatment is necessary for the fulfillment of obligations and the exercise of specific rights of the person responsible for the treatment or the interested party in the field of labor law and social security and protection, …

the processing is necessary to protect the vital interests of the data subject or of another natural person, in the event that the data subject is not physically or legally capable of giving their consent;

the treatment is carried out, in the scope of its legitimate activities and with the due guarantees, by a foundation, an association or any other non-profit organization, whose purpose is political, philosophical, religious or union, …

the treatment refers to personal data that the interested party has manifestly made public;

the treatment is necessary for the formulation, exercise or defense of claims or when the courts act in the exercise of their judicial function;

the processing is necessary for reasons of essential public interest, …

the treatment is necessary for the purposes of preventive or occupational medicine, evaluation of the worker’s work capacity, medical diagnosis, provision of health or social care or treatment, or management of health and social care systems and services, …

the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, …

In other words, only with your explicit consent, platforms such as medmesafe can provide personalized medicine services based on genetic data.


It is time to leave this article at this point, to expand it later with others.


Carlos Martín, CTO of medmesafe


Twitter: https://twitter.com/cmdearcos

Facebook: https://www.facebook.com/cmdearcos

LinkedIn: https://www.linkedin.com/in/cmdearcos/

Instagram: https://www.instagram.com/cmdearcos/

Project manager of the architecture service in SEPE Central Services - Procesia WEB and API architecture service coordinator - INECO Former CTO - medmesafe