Privacy

GDPR and fitness data: where your smartwatch data actually ends up

What the regulation says, what brands actually do, and what you can demand if you're in Europe. No hysteria, concrete examples.

CategoríaPrivacy

Fecha21 de mayo de 2026

Tiempo de lectura10 min de lectura

En resumen

Heart rate, sleep, menstrual cycle and SpO₂ are 'special' health data under GDPR art. 9: consent must be explicit and granular, not a generic 'accept all'.
Almost no major brand has servers in Europe: Apple, Google/Fitbit, Garmin and Samsung transfer to the USA via SCC or DPF mechanisms.
You have three practical rights to exercise now: access (copy within 30 days, free), portability (CSV/JSON) and erasure.
Red flag in privacy policies: 'sharing with research partners' bundled in a single consent, or 'advertising personalization' for health data.
Health Connect is the most privacy-friendly Android setup: data stays on-device and every app must request permission per data type.

Your smartwatch data (heart rate, sleep, menstrual cycle, weight, activity) qualifies as health data under GDPR art. 4 no. 15: the regulation subjects it to stricter rules than email addresses or purchase history, and every brand collecting it must meet precise obligations toward European users. This article explains what those obligations mean in practice and how to exercise your rights.

What counts as 'health data' under GDPR

'Special' category (art. 9): processing is in principle forbidden except for explicit exceptions. The relevant exceptions for smartwatches are two: explicit consent (art. 9.2.a) and care/occupational medicine/public health purposes (9.2.h-i). Practically all consumer manufacturers rely on the explicit consent you give when accepting ToS at first launch.

Heart rate: health data.
Menstrual cycle (Apple Watch Cycle Tracking, Withings Cycle, etc.): sensitive health data.
Sleep by stages (REM, Deep, Light, Awake): health data.
ECG: medical health data.
SpO₂: health data.
Daily steps: borderline. Some DPAs classify them as health if linked to an identifiable person, others as standard personal data.
Workout GPS tracks: personal data (not health-related per se), but a localized profile that can reveal residence/workplace/habits.

Where your data physically ends up

Each brand's privacy policy declares which countries host servers. Summary based on public policies as of 2026:

Brand	Primary EU data servers	Non-EU transfers
Apple	Ireland + Denmark	USA for analytics processing (SCC)
Google (Fitbit/Pixel)	Belgium + Netherlands + Finland	USA (DPF + SCC)
Samsung	Netherlands + Germany	South Korea for backup; USA for Health Cloud (SCC)
Garmin	Netherlands + USA	USA as default (SCC + DPF)
Polar	Finland	Limited to analytics processing
Withings	France	Limited
Oura	Ireland	USA for processing (SCC)
Xiaomi	Germany	Singapore + China (with SCC; with GDPR interpretation caveats)
Huawei	Netherlands + Germany	China (complex situation, read TOS)

Your rights, in practice

Right of access (art. 15)

You can ask any controller for a copy of all data they have about you. They have 30 days (extendible to 90 in complex cases). Free. The dataset must be intelligible (no indecipherable binary dumps).

Apple: via privacy.apple.com (Health iCloud data included).
Google/Fitbit: via takeout.google.com.
Samsung: via privacy.samsung.com/en/privacy-rights.
Garmin: via account dashboard → Privacy → 'Export data'.
Polar: via flow.polar.com → profile settings.
Withings: via account.withings.com → privacy.
Oura: via cloud.ouraring.com → settings → export.
Xiaomi: via privacy.mi.com.
For any other: email privacy@[brand].com (they must provide a channel).

Right to portability (art. 20)

Specific to data you provided (voluntarily or via service use). Data derived or aggregated by the controller may not be included. In 'structured, commonly used and machine-readable format', usually CSV or JSON. This is the legal basis enabling ecosystem switches without losing history.

Right to erasure (art. 17)

Closing the account, data must be deleted. Almost all brands keep operational backups for 30–180 days post-deletion (must be declared). For anonymized and aggregated data for research/improvement, deletion may not be mandatory.

Right to object (art. 21)

For processing based on legitimate interest (marketing profiling, non-essential aggregated analytics), you can object at any time. The controller must stop processing or prove an overriding interest. Almost always the legal basis for 'share anonymous data to improve service' programs.

Red flags in privacy policies

When reading a wearable brand's privacy policy before buying, search these keywords. They're indicators of more or less aggressive practices.

'We share data with research partners' → granular opt-in consent? Yes = ok. Bundled in 'accept all' = red.
'Aggregated and anonymized data' → anonymization is reversible across multiple datasets. If possible, opt-out.
'To improve our services and those of our partners' → 'partners' is suspicious vagueness.
'Advertising personalization' → forbidden for health data (Apple, Google/Fitbit expressly declare they don't do it thanks to regulatory commitments). If you find this clause for health data, switch brand.
Servers in China without GDPR mention → for European use almost always a legal problem.

In summary

Heart rate, sleep, menstrual cycle and SpO₂ are 'special' health data under GDPR art. 9: consent must be explicit and granular, not a generic 'accept all'.
Almost no major brand has servers in Europe: Apple, Google/Fitbit, Garmin, Samsung transfer data to the USA via SCC or DPF mechanisms. Huawei and Xiaomi transfer to Asia with weaker guarantees.
You have three practical rights to exercise now: access (data copy within 30 days, free), portability (CSV/JSON format to switch ecosystems), erasure (by closing your account).
Red flag in privacy policies: 'we share with research partners' bundled in a single consent, or 'advertising personalization' for health data.
Health Connect is the most privacy-friendly Android setup available: data stays on-device, every app must request permission per data type.

Preguntas frecuentes

Can I sue a brand if it violates GDPR?+

In Europe the standard route is a complaint to the national Data Protection Authority (Italy: GPDP, www.garanteprivacy.it). Free, the authority can open an investigation and fine. Direct civil action is possible but costly; worth it if you suffered concrete quantifiable damage (e.g. data breach with identity theft).

Is Health Connect safe for health data?+

Structurally yes, it's the most privacy-friendly setup available on Android. Data stays on the phone, every app must request explicit permission per data type, access is logged. Still important to evaluate which apps you authorize: once an app reads from HC, it can then upload data elsewhere (case of MyFitnessPal or coaching apps sending data to their cloud).

Is the FitMesh Sync app GDPR-compliant?+

Yes. Explicit privacy policy, backend on Supabase Frankfurt (EU), granular in-app consent, one-click data deletion from settings, no third-party ad-tech sharing, no intrusive analytics trackers. Privacy-by-design architecture.

Aviso legal

FitMesh Sync es un producto independiente. Apple, Google, Fitbit, Samsung, Garmin, Polar, Withings, Oura, Xiaomi, Huawei son marcas comerciales de sus respectivos propietarios. Este artículo no implica ninguna afiliación ni patrocinio.

Aviso de salud

La información de este artículo tiene fines informativos y no reemplaza el consejo de tu médico, farmacéutico u otro profesional de la salud. FitMesh Sync es una app de fitness y bienestar, no un dispositivo médico, y no diagnostica ni trata enfermedades. Ante síntomas, dudas clínicas o decisiones de tratamiento, consulta siempre a tu médico.

Escrito por

Matteo Pizzi

Founder & Solo Dev, FitMesh Sync · Fosforonero

Desarrollador de software italiano. Construí FitMesh Sync para cubrir el espacio entre mi smartwatch y un panel personal real. Privacidad ante todo, indie, servidores en la UE.

Más sobre el proyecto

Sigue leyendo

Guide