photo
12.06.2026

Sensitive personal data in the age of genomics – a report on the Open Expert Lecture

On June 11, 2026, the second in a series of Open Expert Lectures organised by the Personal Data Protection Office took place. This time, it focused on the processing of genetic data and the legal, technical, and practical issues associated with it.

The Open Expert Lecture Series is an initiative dedicated to the most important challenges related to the protection of personal data and privacy in the context of the development of new technologies. The goal of this series of meetings is to create a space for the exchange of knowledge and experiences regarding key and current issues, as well as trends in the field of data protection.

In his opening remarks at the event, Mirosław Wróblewski, President of the Personal Data Protection Office, highlighted the importance of genetic data and its proper protection in today’s world. Genomics demonstrates the immense potential of modern science and can help with the early detection of diseases, the development of new therapies and medications, and the more accurate identification of disease risks.

At the same time, we must not forget that genetic data is not mere information, but concerns human beings on a very deep level. It can reveal hereditary traits, health predispositions, and information about one’s family. It also remains unchanged throughout a person’s life; therefore, when processing such data, care must be taken to ensure respect for the rights of the data subject, their informational autonomy, and human dignity, as well as national security.

“We must avoid falling into extremes. Data protection does not restrict scientific research; it merely ensures that progress is not made at the expense of human beings,” emphasised Mirosław Wróblewski.

The President of the Personal Data Protection Office also referred to the guidelines of the European Data Protection Board on the processing of personal data for scientific research purposes. These guidelines state that such data is an asset that makes it possible to achieve what was impossible a few years ago. However, ethical standards must be upheld, as well as verifiability, transparency and accountability. Everyone has the right to know who is processing their data and on what terms. The risk of losing control over this data is, after all, very high.

It is therefore important to be able to clearly assign responsibility for data processing, as a great many parties are involved in such research – each must be aware of their role and scope of responsibility, as well as who, in a given case, actually determines the purposes and means of processing personal data. Another serious problem is the anonymisation of this data, which is becoming increasingly difficult in the age of artificial intelligence, where re-identification is possible.

This was followed by the keynote lecture, ‘Sensitive personal data in the age of genomics’, delivered by Prof. Michał Witt, Chairman of the Committee on Human Genetics and Molecular Pathology at the Polish Academy of Sciences. The expert began by defining genetic data as personal data relating to a person’s genetic characteristics, revealing unique information about their health and physiology, derived from the analysis of a biological sample taken from that person. He also highlighted the main sources from which such data is obtained, the entities involved in its processing, and the Polish legislation governing these matters.

Professor Witt also discussed the most common cases of genetic testing carried out by private companies, particularly in the US – the so-called DTC, or ‘direct-to-consumer’, tests. These are usually used to establish paternity, trace one’s ancestry or search for potential relatives. The speaker pointed out, however, that in this way companies gain access to extensive databases containing highly sensitive data, which they are then keen to pass on, for example, to the security services. He also described cases where genetic data had been used to track down a previously elusive criminal, but also to identify a sperm donor who was, in theory, supposed to remain anonymous.

More space was devoted to the history of 23&Me, a company that once dominated the market for this type of test. However, when a major data breach undermined confidence in the company, it filed for bankruptcy, following which it was sold to a non-profit organisation owned by its founder. As a result, a completely new entity took over the company’s vast amount of customer genetic data. Although the company had been in operation for 25 years, only 300 medical studies were carried out using this database, which did not lead to the discovery of a single medicine.

Other issues highlighted by Prof. Michał Witt concern the admissibility of genome sequencing, which is now possible even at the prenatal stage. China also poses a threat, as it conducts such research on a large scale and actively collects genetic data from people around the world. Companies from China therefore likely also hold information on the genomes of thousands of Polish citizens. This issue therefore requires swift and strict regulation, which, however, has not been implemented in Poland for many years.

The issue of potential regulation of medical data processing was the subject of a panel discussion following the lecture. The starting point was a report by the Supreme Audit Office dating back to 2018 – that is, from before the GDPR came into force. The report highlighted numerous irregularities in the supervision of genetic testing in Poland, which can currently be carried out by virtually any organisation.

Anna Białek, Director of the International, Constitutional and European Law Unit at the Office of the Ombudsman, who was chairing the discussion, asked Prof. Michał Witt – who had been involved in the first attempt to draft regulations on this matter in 2012 – whether such regulations were still necessary at all, given that testing has been carried out for 14 years without any regulatory framework. The expert pointed out that the regulations are still needed, but that it is necessary to start completely from scratch, as the legal and technical landscape has changed. He also noted that regulating genetics is a politically risky issue, which is why no one wants to tackle it properly.

Monika Gos, a professor at the Department of Genetics of the Mother and Child Institute, pointed out that it had been clear from the very beginning of the institution’s operation that additional regulations were needed. These should cover issues such as who is authorised to commission such tests, the admissibility of commercial tests, the retention period for data and samples, the transfer of data and samples abroad, oversight of the entities carrying out the tests, and which data should be reported and which should not.

Monika Krasińska, Director of the Law and New Technologies Department at the Personal Data Protection Office, pointed out that the Office has long been highlighting the need to regulate the protection of genetic data. However, time is running out, as Poland must implement the EHDS provisions relating to health data. Meanwhile, many controllers of such data are unaware of the obligations under the GDPR regarding its processing. Although the GDPR itself is directly applicable, relying solely on consent, as is currently the case, is insufficient, as consent can be withdrawn at any time, and the genetic data of deceased individuals may also be of significance to their living relatives.

This topic was explored by Professor Marek Czarkowski of the Faculty of Medicine at the Cardinal Stefan Wyszyński University in Warsaw, who pointed out that the family members of a test subject must have the subject’s consent in order to obtain information that may also be relevant to their own health. This is not a major obstacle, as they can always undergo a genetic test themselves; it is neither an invasive nor a dangerous procedure. A greater problem is whether test subjects should be informed of potential risks to their future offspring, or whether the children of such a person should be informed, even if they do not ask for this information.