GDPR and DPA Genome/Sensitive data

Who collected the genetic data? A hospital? A research lab? The data subject should contact the data controller who collected the data and exercise the right of erasure according to the privacy notice.

The data controller will verify if the request can be fulfilled or not. Member States may introduce specific limitations to data subjects' rights (even to the sensitive data under Article 9 GDPR) in order to protect scientific research programs, for example. So maybe there is a legitimate base to keep the genetic data in the database without the consent of the data subject.

Controller processing genetic data should have a Data Protection Officer (DPO), so the data subject may contact the DPO in order to have clarification.

Here you can find more information about consent:

• Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/

If you need to understand how to process consent under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//