GDPR and fitness data: where your smartwatch data actually ends up

Your smartwatch data — heart rate, sleep, menstrual cycle, weight, activity — isn't like other data. GDPR categorizes it as 'health-related data' (art. 4, no. 15) and subjects it to stricter rules than email addresses or purchase history. This article explains what that means in practice if you live in Europe, and how to behave with manufacturers.

What counts as 'health data' under GDPR

'Special' category (art. 9) — processing is in principle forbidden except for explicit exceptions. The relevant exceptions for smartwatches are two: explicit consent (art. 9.2.a) and care/occupational medicine/public health purposes (9.2.h-i). Practically all consumer manufacturers rely on the explicit consent you give when accepting ToS at first launch.

• •Heart rate: health data.
• •Menstrual cycle (Apple Watch Cycle Tracking, Withings Cycle, etc.): sensitive health data.
• •Sleep by stages (REM, Deep, Light, Awake): health data.
• •ECG: medical health data.
• •SpO₂: health data.
• •Daily steps: borderline — some DPAs classify them as health if linked to an identifiable person, others as standard personal data.
• •Workout GPS tracks: personal data (not health-related per se), but a localized profile that can reveal residence/workplace/habits.

Where your data physically ends up

Each brand's privacy policy declares which countries host servers. Summary based on public policies as of 2026:

Your rights, in practice

Right of access (art. 15)

You can ask any controller for a copy of all data they have about you. They have 30 days (extendible to 90 in complex cases). Free. The dataset must be intelligible (no indecipherable binary dumps).

• •Apple: via privacy.apple.com (Health iCloud data included).
• •Google/Fitbit: via takeout.google.com.
• •Samsung: via privacy.samsung.com/en/privacy-rights.
• •Garmin: via account dashboard → Privacy → 'Export data'.
• •Polar: via flow.polar.com → profile settings.
• •Withings: via account.withings.com → privacy.
• •Oura: via cloud.ouraring.com → settings → export.
• •Xiaomi: via privacy.mi.com.
• •For any other: email privacy@[brand].com — they must provide a channel.

Right to portability (art. 20)

Specific to data you provided (voluntarily or via service use). Data derived or aggregated by the controller may not be included. In 'structured, commonly used and machine-readable format' — usually CSV or JSON. This is the legal basis enabling ecosystem switches without losing history.

Right to erasure (art. 17)

Closing the account, data must be deleted. Almost all brands keep operational backups for 30–180 days post-deletion (must be declared). For anonymized and aggregated data for research/improvement, deletion may not be mandatory.

Right to object (art. 21)

For processing based on legitimate interest (marketing profiling, non-essential aggregated analytics), you can object at any time. The controller must stop processing or prove an overriding interest. Almost always the legal basis for 'share anonymous data to improve service' programs.

Red flags in privacy policies

When reading a wearable brand's privacy policy before buying, search these keywords. They're indicators of more or less aggressive practices.

• •'We share data with research partners' → granular opt-in consent? Yes = ok. Bundled in 'accept all' = red.
• •'Aggregated and anonymized data' → anonymization is reversible across multiple datasets. If possible, opt-out.
• •'To improve our services and those of our partners' → 'partners' is suspicious vagueness.
• •'Advertising personalization' → forbidden for health data (Apple, Google/Fitbit expressly declare they don't do it thanks to regulatory commitments). If you find this clause for health data, switch brand.
• •Servers in China without GDPR mention → for European use almost always a legal problem.