search icon
Close

What are you looking for?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Go to solution Solved

Samsung's Data Collection Policy and GDPR Compliance

(Topic created on: 17-01-2025 02:10 PM)
770 Views
T1ina
Apprentice

‎17-01-2025 02:10 PM

Options

Samsung's Data Collection Policy and GDPR Compliance

Under the EU General Data Protection Regulation (GDPR), companies are allowed to collect and process personal data, including sensitive health data, only if a valid legal basis applies. According to GDPR, one of the main legal bases for such processing is explicit consent (Article 6(1)(a)), particularly when dealing with special categories of personal data, such as health information (Article 9(2)(a)).

For consent to be valid under GDPR, it must be freely given, specific, informed, and unambiguous. Additionally, consent must be revocable, meaning users should be able to withdraw their consent at any time without negative consequences (Article 7(3)).

Samsung’s Policy and GDPR Compliance Concerns

In my case, Samsung forced me to choose between either allowing continued data collection or losing all previously stored health data. When I attempted to withdraw my consent, a mandatory pop-up message appeared, stating:

"Do you want to revoke this agreement?
You will no longer be able to sync health data with your Samsung account, and your health data will be deleted unless we are required to store it under applicable law. If we must store it, we will delete it as soon as the retention period is over."

The only options available were "Cancel" and "Revoke and delete data". There was no option to withdraw consent while still retaining access to previously collected data.

This practice raises serious concerns under GDPR because:

  1. Lack of a real choice – If withdrawing consent results in the complete loss of user data, then the consent was not freely given in the first place, which contradicts Article 7(4) of the GDPR.

  2. Inconsistent with "Purpose Limitation" (Article 5(1)(b)) – If Samsung continues using previously collected data even after a user withdraws consent, this raises questions about data minimization and whether data is being used beyond the scope originally agreed upon.

  3. Contradicts the "Right to Withdraw Consent" (Article 7(3)) – GDPR explicitly states that withdrawing consent should be as easy as giving it, and users must not suffer consequences for revoking consent. Deleting all previously stored data upon withdrawal is an excessive penalty.

Samsung's Reference to GDPR Articles 6(1)(b), 6(1)(c), 6(1)(f), and 6(1)(a)

Samsung refers to the following GDPR articles:

  • Article 6(1)(b) – Processing is necessary for the performance of a contract.
    → However, data deletion upon consent withdrawal is not a contractual necessity, unless Samsung can prove that storing the data is essential for providing the service.

  • Article 6(1)(c) – Processing is necessary for compliance with a legal obligation.
    → If Samsung is legally required to process health data, it must clearly specify which law mandates this and for how long data must be retained.

  • Article 6(1)(f) – Processing is necessary for legitimate interests.
    → Legitimate interest cannot override user rights when processing sensitive health data. Since Samsung relies on consent (Article 6(1)(a)), they cannot also claim legitimate interest to justify continued use of data after consent is withdrawn.

  • Article 6(1)(a) – Processing is based on consent.
    → Consent must be freely given and revocable, which means deleting user data as a consequence of withdrawal is likely unlawful under GDPR.

What Should Samsung Do?

Samsung should provide users with three clear options when withdrawing consent:

  1. Revoke consent but retain existing data (data remains accessible but no longer processed for new purposes).
  2. Revoke consent and request full data deletion (voluntary deletion, if the user chooses).
  3. Continue sharing data (if the user does not wish to revoke consent).

Currently, Samsung’s policy forces users into a choice that violates the principles of GDPR, particularly freely given consent, purpose limitation, and the right to withdraw consent without negative consequences.

Next Steps

I would like Samsung to clarify:

  • Why does Samsung not offer a "withdrawal of consent without deletion" option, as required by GDPR?
  • How does Samsung justify the continued processing of previously collected data after withdrawal, despite relying on consent as a legal basis?
  • Can Samsung confirm which specific legal obligations (Article 6(1)(c)) require them to delete user data when consent is withdrawn?

If no satisfactory answer is provided, I will consider filing a formal complaint with the relevant EU Data Protection Authority (DPA), as this practice appears non-compliant with GDPR.

0 Likes

1 Solution


Accepted Solutions
Solution
T1ina
Apprentice

‎23-01-2025 04:36 PM

Options

Final Update on My GDPR Complaint Against Samsung

I wanted to share a final update with the community regarding my concerns about Samsung Health’s data collection policies and GDPR compliance.

I have now officially submitted a complaint to the relevant Data Protection Authority (DPA) within the European Union regarding Samsung’s handling of user health data. I have done this not just for myself, but for all users, because consumer rights matter. Some members seemed upset or confused about why I would file a complaint, so I want to clarify my reasoning.

I find it disappointing that Samsung Health does not offer users more choices when it comes to storing and sharing health data. Currently, users must either:

  1. Accept that Samsung stores and shares their health data, including with employees and business partners.
  2. Delete all their health data, which means they cannot fully use their smartwatch for health tracking.

Many other companies I have encountered in similar situations provide a third option:
Users can store their data but opt out of sharing it internally or externally.

Samsung does not provide this option, which is why I believe their current approach violates GDPR’s principles of freely given consent and data minimization.

Regarding Comments from Other Forum Members

  • @BandOfBrothers stated that the Samsung Community Forum team only assists UK members and therefore could not help me. However, the Nordic forum is practically inactive, and many users from smaller markets naturally participate in the English-language forum instead. If @BandOfBrothers does not want users from outside the UK to post here, I suggest they petition Samsung to divide the forum into separate sections—one for EU-based users and one for users outside the EU, as privacy laws and regulatory processes differ significantly.

    That said, I never asked for help—I simply pointed out that Samsung is violating GDPR, and I wanted to inform others about it.

  • @Piper123 commented:

    "I'm afraid I don't fancy your chances here. Samsung's vast legal team will have done all their due diligence."
    "You'll also be facing an extremely high legal bill."

    To @Piper123, I would like to clarify: I am fully aware that Samsung has highly skilled lawyers, and I assume they have tried to interpret GDPR to the best of their ability. However, the EU also has some of the best legal experts specializing in GDPR, and I trust they know the regulation better than Samsung’s legal team.

    Furthermore, filing a GDPR complaint in the EU is completely free of charge for individuals. The only potential financial impact would be on Samsung, should they be required to adjust their policies to ensure compliance with GDPR regulations for selling products in the EU.

Closing Thoughts

I also want to thank everyone who provided links to different Samsung contact points, but I want to emphasize that it was never my intention to contact Samsung directly. A single user has no real influence over a corporation’s policies, but GDPR and the European Union do. That is why I chose this path.

Finally, I want to thank the community for the discussion and for those who engaged in good faith. I sincerely hope Samsung will update its policy now that it has been made aware that its current approach is not GDPR-compliant.

View solution in context

0 Likes
10 REPLIES 10
Piper123
Samsung Members Star ★

‎17-01-2025 03:21 PM

Options
Hi there

Samsung do not deal with such issues on this, a CUSTOMER TO CUSTOMER FORUM.

If you are that unhappy, them I recommend you follow through on your next steps as I'm sure Samsung and their legal teams will have gone through all of this with a very fine toothcomb.
S24 Ultra
Glenntech
Samsung Members Star ★★

‎17-01-2025 04:28 PM - last edited ‎17-01-2025 04:31 PM

Options
Samsung will only use certain parts of the data and it's securely stored.
In order for certain apps and services to work, they will need to use some of this data.
If it can't be used, then simply apps and services won't work.
Stored date will help with development of the apps and services for future devices. To be more accurate and reliable.
As far as I'm aware this data would be stored anonymously.
But as @Piper123 has said, you can contact them and they can clarify things further.
https://www.samsung.com/uk/sustainability/security-and-privacy/privacy/1737131321996.jpg
Moiramon
Troubleshooter

‎17-01-2025 06:11 PM

Options
There's an option to download your data.
0 Likes
T1ina
Apprentice

‎17-01-2025 08:56 PM

Options

Response to Samsung Forum Users Regarding GDPR Compliance

I have worked for several large companies that maintain their own user forums, and in my experience, these companies always have employees who monitor forum discussions. Large corporations do not want a negative reputation based on what is posted in their own forums. Many companies in the EU also have official representatives who actively respond to customer concerns in such forums. In fact, many companies scan multiple forums—even those they do not own—to gauge customer satisfaction and public perception.

I understand that corporate culture differs between the EU and Asia, but I am still certain that Samsung monitors this forum. It is also possible that some Samsung employees respond here without disclosing their affiliation, potentially to redirect discussions that could be unfavorable to the company.

No, I will not contact Samsung through any other channel. A company that makes it difficult to access customer support will not genuinely engage with user concerns. Out of courtesy, I will wait a few days to allow Samsung the opportunity to clarify their position. However, if no satisfactory response is provided, I will proceed with filing a complaint with the EU Data Protection Authority for GDPR violations.

I live in an EU country that has faced significant challenges with companies attempting to misuse personal data and share privacy-sensitive information with third parties. As a result, I am well aware of when GDPR is being violated and have experience filing formal complaints. Most companies do not change their GDPR practices until they are contacted by regulatory authorities, which is why I see no point in waiting indefinitely.

0 Likes
Glenntech
Samsung Members Star ★★

‎18-01-2025 12:18 PM

Options
In response to T1ina
The forum is predominantly customer to customer based.
There are of course Moderators that are Samsung employees, but don't work in the customer services. If you raise a concern, they can pass on the information. This you can do by sending a private message to @Sam_UK
One of the Moderators can pass on your concerns.
But wether you get the answer you require, I'm not sure.
Customer Support won't be monitoring this forum.
I understand some forums have a different way of doing things.
But this is very much a customer based forum
BandOfBrothers
Samsung Members Star ★★

‎19-01-2025 05:50 AM

Options
In response to T1ina

@T1ina Samsung will take instances like you raise very seriously ,and comply with all relevant up to date legislation etc. 

As you live in Sweden as you've mentioned in this thread https://eu.community.samsung.com/t5/wearables/samsung-health-food-search  (I'm living in Sweden) ,the Samsung Community Forum Team wouldn't be able to assist as they can only help with Uk members posts. 

For a more appropriate detailed response you would really need to post in your own regions section of the forum in my opinion. 

I hope this helps. 


Daily Driver > Samsung Galaxy s²⁵ Ultra 512Gb ~ Titanium Black.

The advice I offer is my own and does not represent Samsung’s position.
I'm here to help. " This is the way. "

Piper123
Samsung Members Star ★

‎19-01-2025 06:46 AM - last edited ‎19-01-2025 07:21 AM

Options
In response to T1ina
Good luck.

I'm afraid I don't fancy your chances here. Samsung's vast legal team will have done all their due diligence.

Can't see what you are trying to achieve here personally but if you have your gripe I'm sure you'll do whatever you feel is right.

But as has been said above, Samsung will not respond to you on here (regardless of what you think) and unless users have have Moderator or Community Manager against their name, in this forum they are not staff.

You'll also be facing an extremely high legal bill.
S24 Ultra
0 Likes
Beta22
Voyager

‎19-01-2025 08:38 AM

Options

@T1ina - I totally understand your concerns. Could you please consider channeling your concerns to the Samsung Data Protection Officer via the following dedicated web form? (I think you may be directed to the correct portal for your location, as the link below if for the UK)

https://www.europe-samsung.com/gdpr/webform/uk/sua 

I'm sure you are more likely to get a satisfactory response if you reach out to the DPO directly. In fact, I'd encourage anyone with similar concerns to do the same as Samsung set up that portal specifically for that purpose.

Hope this helps. In any case, wishing you a pleasant day.

0 Likes
Solution
T1ina
Apprentice

‎23-01-2025 04:36 PM

Options

Final Update on My GDPR Complaint Against Samsung

I wanted to share a final update with the community regarding my concerns about Samsung Health’s data collection policies and GDPR compliance.

I have now officially submitted a complaint to the relevant Data Protection Authority (DPA) within the European Union regarding Samsung’s handling of user health data. I have done this not just for myself, but for all users, because consumer rights matter. Some members seemed upset or confused about why I would file a complaint, so I want to clarify my reasoning.

I find it disappointing that Samsung Health does not offer users more choices when it comes to storing and sharing health data. Currently, users must either:

  1. Accept that Samsung stores and shares their health data, including with employees and business partners.
  2. Delete all their health data, which means they cannot fully use their smartwatch for health tracking.

Many other companies I have encountered in similar situations provide a third option:
Users can store their data but opt out of sharing it internally or externally.

Samsung does not provide this option, which is why I believe their current approach violates GDPR’s principles of freely given consent and data minimization.

Regarding Comments from Other Forum Members

  • @BandOfBrothers stated that the Samsung Community Forum team only assists UK members and therefore could not help me. However, the Nordic forum is practically inactive, and many users from smaller markets naturally participate in the English-language forum instead. If @BandOfBrothers does not want users from outside the UK to post here, I suggest they petition Samsung to divide the forum into separate sections—one for EU-based users and one for users outside the EU, as privacy laws and regulatory processes differ significantly.

    That said, I never asked for help—I simply pointed out that Samsung is violating GDPR, and I wanted to inform others about it.

  • @Piper123 commented:

    "I'm afraid I don't fancy your chances here. Samsung's vast legal team will have done all their due diligence."
    "You'll also be facing an extremely high legal bill."

    To @Piper123, I would like to clarify: I am fully aware that Samsung has highly skilled lawyers, and I assume they have tried to interpret GDPR to the best of their ability. However, the EU also has some of the best legal experts specializing in GDPR, and I trust they know the regulation better than Samsung’s legal team.

    Furthermore, filing a GDPR complaint in the EU is completely free of charge for individuals. The only potential financial impact would be on Samsung, should they be required to adjust their policies to ensure compliance with GDPR regulations for selling products in the EU.

Closing Thoughts

I also want to thank everyone who provided links to different Samsung contact points, but I want to emphasize that it was never my intention to contact Samsung directly. A single user has no real influence over a corporation’s policies, but GDPR and the European Union do. That is why I chose this path.

Finally, I want to thank the community for the discussion and for those who engaged in good faith. I sincerely hope Samsung will update its policy now that it has been made aware that its current approach is not GDPR-compliant.

0 Likes