Compliance posture
For clinical-lab decision-makers and DPO teams
Reading time: ~4 minutes
Genetic History is a push-model software module installed in your laboratory’s own infrastructure. This page explains what that means for data-protection obligations — yours and ours — in terms your procurement and DPO teams can act on without a legal dictionary.
The short version: patient data never reaches Genetic History. It stays in your infrastructure. Genetic History’s obligations under GDPR arise from distributing a software library, not from processing your patients’ genetic data.
1. Architecture: the technical basis for the compliance perimeter
Genetic History does not operate as a cloud API or SaaS platform. Your laboratory installs a software module in your own IT environment. The module processes genetic-variant inputs against a locally stored ancestry-narrative library and returns structured outputs — without any data leaving your perimeter.
Four architecture invariants create the compliance structure:
No runtime data transfer to Genetic History. Once installed and library-synced, the module runs fully offline. No call-home, no telemetry, no usage analytics, no runtime logs reach Genetic History at any point during patient-result processing.
Library updates are one-way. Genetic History publishes versioned library updates at HTTPS endpoints on Scaleway EU (France region, DC2 Vitry-sur-Seine, Val-de-Marne, Paris metropolitan area). Your module syncs on a configurable cadence — weekly by default; monthly or quarterly for stability-conservative environments. Only library content flows toward your module. No patient data flows back.
EU-only hosting. Genetic History’s sync infrastructure operates on Scaleway EU (France region, DC2 Vitry-sur-Seine, Val-de-Marne, Paris metropolitan area) exclusively. No cross-border data transfer mechanism exists in v0.1.
Data stays at partner. Patient data resides in your infrastructure at all stages: ingestion, processing, and output delivery. This is a technical invariant, not a policy commitment — it is auditable by design.
2. GDPR Art. 9 — scope of our engagement
Because patient data stays in your infrastructure, Genetic History S.L. operates as a software licensor / distributor and does not act as data processor or sub-processor over patient personal data per GDPR Arts. 4.7-4.8. Genetic History’s GDPR scope covers library distribution only — not patient-data processing.
In practice:
Our contractual scope is narrow. Genetic History’s License & distribution contractual annex template is scoped to library-distribution and software-licensing only — it does not constitute a data-processing agreement under GDPR; it covers the sync-endpoint relationship and software license, not patient-data handling. A pre-drafted, narrowly scoped license annex template is available from the LOI stage onward.
Your Art. 9 obligations remain yours. Your laboratory already holds the patient consent basis for clinical genetic testing. Extending ancestry-narrative output to a patient’s result requires that your consent scope covers this additional use. Genetic History provides consent-language guidance in the license annex template to support your compliance review.
Infrastructure provider for library distribution. Scaleway (EU, France region — DC2 Vitry-sur-Seine, Val-de-Marne, Paris metropolitan area) is the sole infrastructure provider for library distribution in Genetic History’s license-annex scope, engaged for library hosting and sync-endpoint infrastructure only (does not process patient data; not a sub-processor over personal data).
2.bis. Lawful basis for B2B prospect outreach
B2B prospect outreach by Genetic History SLU (email contact to clinical NGS lab decision-makers for partnership discussion) operates under GDPR Art. 6(1)(f) legitimate interest, supported by a director-signed Legitimate Interests Assessment (LIA) documenting the ICO 3-prong test (purpose / necessity / balancing) + KNLTB C-621/22 narrow-construction analysis.
Statutory transparency disclosure per GDPR Art. 13(1)(d) + Art. 14(2)(b) for this processing basis is published at the Privacy Notice §2 — row “B2B prospect outreach” — available to all data subjects.
DPO + vendor-due-diligence access: the full text of LIA Wave-1 v0.1.1 (signed by Vadim Urasin, sole administrator-controller per LSC Art. 233-234, dated 2026-04-22; amended v0.1.1 on 2026-04-30 — factual correction Scaleway location) is available under NDA to qualified customers, DPO teams conducting vendor-due-diligence, and supervisory authorities (AEPD). To request access, contact acgt@genetichistory.es with subject “LIA Request — [Your organization name]”.
Data subjects may exercise the right to object per GDPR Art. 21 at any time without justification; see Privacy Notice §4 + §7 for rights-exercise channels.
3. Breach scope and notification
At your site: patient data resides in your infrastructure. A breach involving patient genetic data at your environment falls within your GDPR Art. 33 72-hour notification obligation.
At Genetic History’s side: any breach at Genetic History involves only the library-distribution asset — a versioned software library package. This is not personal data. Genetic History’s 72-hour notification obligation, where triggered, is scoped to this library asset only.
4. Regulatory framework statements
The following positions reflect Genetic History’s current architectural posture combined with established legal-research substrate. Items marked pending external legal review are pending formal validation by external Legal/Compliance Counsel (scheduled in the coming weeks). External counsel will confirm, update, or revise these positions with formal legal opinions.
Ley 14/2007 de Investigación Biomédica (Spain) Genetic History operates in the genealogical and wellness context. The module delivers ancestry narratives — not research protocols, biomedical analysis, or clinical-data interpretation. Technical separation between ancestry-narrative generation and biomedical research is enforced by module design. genealogical-scope characterisation pending external formal review — pending external legal review
IVDR / MDR Genetic History distributes a non-clinical module. Our scope assertion is that the ancestry-narrative module does not constitute a medical device under IVDR. Your laboratory’s existing MDR/IVDR compliance scope is not affected by this integration — the module operates outside clinical-interpretation scope. non-clinical module label is our scope assertion, not a regulatory determination; external formal review in the coming weeks — pending external legal review
EHDS (European Health Data Space — Art. 105 of Reg. 2025/327 schedule: general application 2027-03-26; priority categories + EHR systems 2029-03-26; additional categories 2031-03-26) Non-clinical genealogical ancestry framing is likely outside EHDS primary-use data scope. Genetic History does not hold or process health data within the EHDS definition. formal EHDS scope assessment by external counsel pending — pending external legal review
EU AI Act EU AI Act phases in per Art. 113 of Reg. 2024/1689: general application 2026-08-02; high-risk provisions (Art. 6(1)) 2027-08-02. Genetic History adopts a transparency-forward posture ahead of this schedule. AI-assisted ancestry-narrative generation is disclosed in module output documentation. Formal risk classification under the EU AI Act is subject to external Legal/Compliance Counsel review; no classification is asserted in this document. pending external legal review
Accessibility (EAA / Spain RD 193/2023) The EU Accessibility Act’s B2B exemption and microenterprise exemption both apply to Genetic History’s offering. WCAG 2.1 AA compliance is adopted voluntarily as a trust-signal and as anticipatory preparation for Spain RD 193/2023 phase-in (2029 deadline).
5. License annex template and legal documentation
A pre-drafted, narrowly scoped License & distribution contractual annex template (library-distribution and software-licensing scope only, not patient-data processing) is available from the LOI stage onward.
To request the license annex template or discuss integration compliance requirements:
Email: acgt@genetichistory.es Subject line: License annex request — [Your Organisation Name]
The license annex covers:
- Sole infrastructure provider for library distribution disclosure: Scaleway EU
- Library-distribution and software-licensing scope statement
- Consent-language guidance for extending ancestry features to patient results
6. Data controller
Genetic History, S.L.U. CIF B24962573 Registro Mercantil de Barcelona, Hoja B-646398 Calle Aribau 168, 1-1, 08036 Barcelona, Spain
7. Interim governance posture
Note for DPO and legal reviewers: the regulatory positions in §4 above reflect Genetic History’s current architectural-lever posture combined with established GDPR and sector-law research. Formal legal opinions for the interim-posture items are scheduled with external Legal/Compliance Counsel in the coming weeks. Where formal opinions diverge from interim positions, this page will be updated and the license annex template revised accordingly.
If you require formal legal opinions prior to that review — for example, for your procurement gate — contact Genetic History at acgt@genetichistory.es to arrange direct dialogue with the founder.
Appendix A: infrastructure provider registry (v0.1)
| Infrastructure provider | Service | Region | Data processed |
|---|---|---|---|
| Scaleway | Library hosting + sync endpoints | EU (France, DC2 Vitry-sur-Seine, Val-de-Marne, Paris metropolitan area) | Library-distribution asset (non-PII) only |
No patient data reaches any Genetic History infrastructure provider (Genetic History S.L. does not act as data processor or sub-processor over patient personal data per GDPR Arts. 4.7-4.8).