Helix Insight

Documentation / Data and Privacy / GDPR Compliance

GDPR Compliance

Genetic data is classified as special category data under GDPR Article 9, requiring additional legal safeguards beyond those for ordinary personal data. Helix Insight is designed to meet these requirements at every level -- legal, organizational, and technical.

Controller and Processor Roles

The distinction between data controller and data processor is fundamental to how genomic data flows through the platform:

Laboratory (Data Controller)

The clinical genetics laboratory determines the purpose and means of processing. The laboratory is responsible for: ensuring a lawful basis for processing the genomic data (typically explicit consent under Article 9(2)(a) or healthcare provision under Article 9(2)(h)), obtaining any necessary patient consents, providing only pseudonymized data (sample IDs, no patient names or identification numbers), and deciding on data retention periods.

Helena Bioinformatics (Data Processor)

Helena Bioinformatics processes genomic data exclusively on documented instructions from the data controller. As processor, we: process data only for the purposes specified in the Data Processing Agreement, implement appropriate technical and organizational security measures, do not engage sub-processors without prior written authorization, assist the controller in responding to data subject requests, and delete or return all data upon termination of the agreement.

Legal Basis for Processing

Genomic Data (Special Category)

Article 9(2)(a): explicit consent of the data subject, or Article 9(2)(h): processing necessary for healthcare provision. The applicable legal basis is determined by the data controller (laboratory), not by Helena Bioinformatics. We process this data under contractual obligation (Article 6(1)(b)) and the DPA.

Account Data

Article 6(1)(b): contractual necessity. Name, email, organization, and role are collected during registration to provide the service.

Usage Data

Article 6(1)(f): legitimate interest. IP addresses, session duration, and pages visited are collected for security monitoring and service improvement.

Data Subject Rights

Data subjects (patients whose genomic data is processed) retain full GDPR rights. Because the laboratory is the data controller, rights requests are typically routed through the laboratory. Helena Bioinformatics assists in fulfilling these requests:

Access (Article 15)Confirmation of processing and a copy of the data being processed.
Rectification (Article 16)Correction of inaccurate data.
Erasure (Article 17)Deletion of genomic data, subject to legal retention requirements.
Restriction (Article 18)Limitation of processing while a dispute is resolved.
Portability (Article 20)Export of data in machine-readable format (VCF, PDF).
Objection (Article 21)Right to object to specific processing activities.

Data Protection Impact Assessment

A DPIA is mandatory under GDPR Article 35 when processing genetic data on a large scale. Helena Bioinformatics has conducted a comprehensive DPIA covering: the nature and scope of processing, necessity and proportionality assessment, risk identification (unauthorized access, data breach, re-identification), and mitigation measures (encryption, physical isolation, access controls, audit logging, automatic deletion).

The full DPIA summary is available at Data Protection Impact Assessment.

International Transfers

No genomic data or personal data is transferred outside the European Economic Area. All processing occurs on infrastructure located in Finland (EU). In the event that a transfer outside the EEA becomes necessary in the future, Helena Bioinformatics will obtain prior written consent from the data controller and implement appropriate safeguards under GDPR Chapter V (Standard Contractual Clauses or adequacy decision).

Contact

For questions regarding data protection, GDPR compliance, or to exercise data subject rights, contact privacy@helena.bio. The full Privacy Policy and Data Processing Agreement are available on our website.