Is a DNA test safe?

Online DNA Testing: A Real Privacy Nightmare

Genetic tests are cool, modern and "fancy" - what can happen there? Let's be honest: At first glance, deoxyribonucleic acid looks just as unspectacular as data protection law. However, if you take the trouble to subject online DNA tests to a data protection analysis, you will quickly notice that the GDPR violations found are pretty creepy.

Genetic testing as a lifestyle service

To understand: The German term for DNA is DNS, but DNA is mostly used in German-speaking countries as well. DNA is not to be trifled with - we have known that since Jurassic Park at least. And yet there is one or the other who is willing to pull genetically blank. It was not long ago that the DNA analysis market boomed in Germany. And even today, various genetic test providers process millions of DNA data - in the name of science, of course.

Granted, it sounds tempting. Briefly rub the inside of the cheek with the cotton swab or spit into a tube and the world is at your feet. Well, at least your own origin, if you are interested in genealogy.

Genetic tests by private companies involve high risks - you don't need voracious dinosaurs, a few data-hungry scientists are enough.

DNS = data protection? Well, sure ... not!

Adenine, thymine, guanine and cytosine - many people still associate these with DNA or DNA from school lessons. Data protection, however, does not seem to have been on the curriculum. And if they do, the genetic test providers have slept through this hour. A quick review of the common providers should make data protectionists' hair stand on end:

Lack of anonymity

Those who request and return saliva collection tools are not “just” disclosing their DNA. The provider finds out the name of the customer, his address and financial data. This opens the door to profile formation. Address, bank details and even the name can be changed - but the DNA? It stays until death do us part ... and beyond, as a 10,000 year old chewing gum shows.

Quite the dad!

Since the genetic test providers advertise to shed light on their own ancestry, it makes sense to use the analyzes in a completely different way: to find out whether the cute sparrow at home is really your own. According to the c’t, the providers would not check who the DNA sample came from. The potential father can send in his and the child's saliva sample. The knowledge gained from this not only causes a lot of dispute - but also for the disclosure of direct family relationships. The genetic test providers should be pleased, as this generates steady sales. When two people argue, the third is happy ...

Trading in genes

This is certainly not the first time that genetic testing providers have asked this question. Up to $ 20,000 per genome was already valid in 2015 - the value of a DNA is unlikely to have decreased since then. The providers who diligently resell the DNA received from testers are also aware of this. The highest bidder? Research, pharmaceutical industry & Co. The former data protection officer of the state of Schleswig-Holstein, Mr. Thilo Weichert, warns:

"As a customer, I have no idea, let alone control what they do with the data."

It starts with shipping, some parcel deliverers are not exactly reliable. The analysis is outsourced to laboratories, results are stored on various servers - there is a risk of security risks and data loss everywhere.

However, there is no need to look for data leaks, DNA data is also officially passed on: For example, genetic test providers such as 23andMe or AncestryDNA ask when registering whether one would like to participate in the research project. Anyone who agrees here also believes that he or she has nothing to hide ... However, some of those who agree may only have given their consent because he or she thought the data would be used for medical research, which ultimately saves lives. The DNA data were also used in other studies, for example, to explain why some people are more willing to take risks than others. Is this of medical relevance?

Genetic test providers are flirting with the pharmaceutical industry. For example, 23andMe signed a contract with the pharmaceutical giant GlaxoSmithKline. He made an offer that 23andMe couldn't refuse: $ 300 million in exchange for access to the DNA data. The DNA test provider with the strange name has other partnerships to show for, namely with universities, non-profit organizations, other pharmaceutical companies and with the cosmetics division of Procter & Gamble - terrifying, isn't it?

AncestryDNA was also generous in distributing the DNA data when the Google subsidiary Calico Life Sciences wanted to research genetic factors for lifespan. The collaboration has now ended - for whatever reason.

Abstruse: AncestryDNA collaborates with… drum roll… Spotify! After determining your own origin, you will be suggested the supposedly suitable music - is it still possible ?!

What DNA reveals

A lot can be gleaned from DNA, not just ancestry. For knowledgeable researchers, the result is an informative picture of the DNA owner about his / her hereditary diseases, allergies and food intolerances. Imagine if this data were made public: Your insurer was in a storm, higher premiums would be inevitable. Incidentally, this does not only apply to you, but also to your parents and future generations. One end is not foreseen. The consequences would also be clearly noticeable in the world of work.

Hair-raising examples

A short research reveals the unbelievable. Well-known genetic test providers fail by the dozen when it comes to data protection. Caution: Shaking the head all the time threatens to stiff the neck!


MyHeritage wants even more data. In order to achieve this, the provider uses the cluelessness of its customers. The provider invites you to take part in surveys, for example on nutrition or facial features. Incomprehensible? Yes!

To make matters worse, the data obtained is not even secure. This is shown by a past hacker attack in which 92 million access data leaked out.


The network data protection experts dealt extensively with AncestryDNA in a report and found a large number of data protection violations. The inadequacies of data protection law are too numerous to be able to describe them briefly here. It is not without reason that the report bears the subtitle: “And where is data protection?”.


This genetic test provider is dangerously close to Google. Why? Therefore: When it was founded in 2006, Google Ventures is one of the main investors. Founder of 23andMe is Anne Wojcicki, who was married to Sergey Brin, the co-founder of Google. Susan Wojcicki, Anne Wojcicki's sister, is YouTube's CEO. And who is on the board of 23andMe? Neal Mohan, YouTube's top advertising strategist and Google board member. You don't need an aluminum hat to find that strange.

Do you want more proof?

Patrick Chung, also a bigwig at 23andMe, announced in 2013:

"Once you have the date, [the company] does actually become the Google of personalized healthcare."


Family Tree DNA is also not so strict about data protection. The company has released two million DNA profiles to the FBI - without a court order. To ask?


Huh, what does a muesli manufacturer have to do with this topic? Very simple: myMuesli has recently started offering a DNA muesli. No joke! It cooperates with LykonDX GmbH from Berlin.

MyMuesli moves in a gray area: The Genetic Diagnostics Act applies to DNA analyzes, which only allows health genetic examinations to be carried out by a doctor. MyMuesli only allows genes to be examined, with the help of which one can determine the metabolic and sports type. Whether this is really the case is debatable.

A well-meaning council

Online DNA tests can provide exciting, often unexpected results - they are also interesting, but their handling in terms of data protection law is much less pleasant. If you still want to dare a genetic test, it is advisable to provide as little additional data as possible and to familiarize yourself in detail with the respective data protection regulations in advance.

Do you like the post? Then we look forward to a recommendation:

About the author

Bianca PettingerFull lawyer

Data protection - isn't that boring? But on the contrary. As a right of defense against the state, the right to informational self-determination in everyday life between digitization and surveillance is more important than ever. It is my aim to draw attention to this. more →

intersoft consulting services AG

As experts in data protection, IT security and IT forensics, we advise companies across Germany. Find out more about our range of services here:

Data protection in healthcare

Do you have any suggestions for topics or improvements? Contact us anonymously here.