search icon
Close

What are you looking for?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Go to solution Solved

Samsung's Data Collection Policy and GDPR Compliance

(Topic created on: 17-01-2025 02:10 PM)
1153 Views
- Close original thread and solution
T1ina
Apprentice

‎17-01-2025 02:10 PM

Options

Samsung's Data Collection Policy and GDPR Compliance

Under the EU General Data Protection Regulation (GDPR), companies are allowed to collect and process personal data, including sensitive health data, only if a valid legal basis applies. According to GDPR, one of the main legal bases for such processing is explicit consent (Article 6(1)(a)), particularly when dealing with special categories of personal data, such as health information (Article 9(2)(a)).

For consent to be valid under GDPR, it must be freely given, specific, informed, and unambiguous. Additionally, consent must be revocable, meaning users should be able to withdraw their consent at any time without negative consequences (Article 7(3)).

Samsung’s Policy and GDPR Compliance Concerns

In my case, Samsung forced me to choose between either allowing continued data collection or losing all previously stored health data. When I attempted to withdraw my consent, a mandatory pop-up message appeared, stating:

"Do you want to revoke this agreement?
You will no longer be able to sync health data with your Samsung account, and your health data will be deleted unless we are required to store it under applicable law. If we must store it, we will delete it as soon as the retention period is over."

The only options available were "Cancel" and "Revoke and delete data". There was no option to withdraw consent while still retaining access to previously collected data.

This practice raises serious concerns under GDPR because:

  1. Lack of a real choice – If withdrawing consent results in the complete loss of user data, then the consent was not freely given in the first place, which contradicts Article 7(4) of the GDPR.

  2. Inconsistent with "Purpose Limitation" (Article 5(1)(b)) – If Samsung continues using previously collected data even after a user withdraws consent, this raises questions about data minimization and whether data is being used beyond the scope originally agreed upon.

  3. Contradicts the "Right to Withdraw Consent" (Article 7(3)) – GDPR explicitly states that withdrawing consent should be as easy as giving it, and users must not suffer consequences for revoking consent. Deleting all previously stored data upon withdrawal is an excessive penalty.

Samsung's Reference to GDPR Articles 6(1)(b), 6(1)(c), 6(1)(f), and 6(1)(a)

Samsung refers to the following GDPR articles:

  • Article 6(1)(b) – Processing is necessary for the performance of a contract.
    → However, data deletion upon consent withdrawal is not a contractual necessity, unless Samsung can prove that storing the data is essential for providing the service.

  • Article 6(1)(c) – Processing is necessary for compliance with a legal obligation.
    → If Samsung is legally required to process health data, it must clearly specify which law mandates this and for how long data must be retained.

  • Article 6(1)(f) – Processing is necessary for legitimate interests.
    → Legitimate interest cannot override user rights when processing sensitive health data. Since Samsung relies on consent (Article 6(1)(a)), they cannot also claim legitimate interest to justify continued use of data after consent is withdrawn.

  • Article 6(1)(a) – Processing is based on consent.
    → Consent must be freely given and revocable, which means deleting user data as a consequence of withdrawal is likely unlawful under GDPR.

What Should Samsung Do?

Samsung should provide users with three clear options when withdrawing consent:

  1. Revoke consent but retain existing data (data remains accessible but no longer processed for new purposes).
  2. Revoke consent and request full data deletion (voluntary deletion, if the user chooses).
  3. Continue sharing data (if the user does not wish to revoke consent).

Currently, Samsung’s policy forces users into a choice that violates the principles of GDPR, particularly freely given consent, purpose limitation, and the right to withdraw consent without negative consequences.

Next Steps

I would like Samsung to clarify:

  • Why does Samsung not offer a "withdrawal of consent without deletion" option, as required by GDPR?
  • How does Samsung justify the continued processing of previously collected data after withdrawal, despite relying on consent as a legal basis?
  • Can Samsung confirm which specific legal obligations (Article 6(1)(c)) require them to delete user data when consent is withdrawn?

If no satisfactory answer is provided, I will consider filing a formal complaint with the relevant EU Data Protection Authority (DPA), as this practice appears non-compliant with GDPR.

0 Likes
Go to solution
10 REPLIES 10
AntS
Moderator
Moderator

‎31-01-2025 04:13 PM

Options

Hi @T1ina ,

 

Updating the thread with a more official response for you and everyone:

 

"Thank you for sharing the concerns you have faced with GDPR compliance. We at Samsung would like to assure you that we take customer data very seriously and ensure that all our services follow a strict “Privacy by design” approach in accordance with GDPR.

 

If you need any clarification or specific request, please contact the data protection inbox (dataprotection@samsung.com).

 

If you would like to exercise one of GDPR rights, you can go to the webform (https://www.samsung.com/request-desk/).

 

Kind regards"


Click here to see 'How to set up Emergency SOS on your Galaxy Smartphone'
0 Likes