Samsung Health app's attempt to violate my privacy

I ride my bike every morning. Especially during the lockdowns it’s important to stay healthy.
To see my progress, I am using the Samsung Health app.
Not a very smart move if you don’t want your data to be sold, I know, but yeah.
It works. Until today.

When I saw this, I was already thinking “Oh no”. But it got worse after tapping continue:

I of course clicked deny, but then you cannot use the app anymore:

Tapping continue just shows this pop up again.

So this app cannot be used anymore, unless I let Samsung Health “make and manage phone calls”.
I think it’s very funny and sad at the same time that Americans tend to forget that here in Europe we actually got some decent privacy laws that aim to protect European citizens from this kind of malicious behaviour.

My questions is: is this allowed or not?
Does the GDPR allow the processing of such data (including phone numbers) while it’s not necessary for keeping track of my workouts. (Or at least, it wasn’t necessary before).
Or will this issue be addressed in the ePrivacy Regulation?

Welcome to @Datavid! :tada:

Staying healthy is important, and using the Samsung Health app can be very convenient. Understandably so that you are using it.

Back to your questions: It appears that Samsung Health updated it’s privacy policy. They can make the acceptance of the privacy policy itself mandatory, however acceptance of a privacy policy that contains passages such as ‘I consent to the processing of my personal data for x purpose’ does not constitute consent under the GDPR.[1]

The permission does seem very scary given that it allows the app to make and manage phone calls, which is not what you use Samsung Health for.

If the permission is necessary for the app to function arguably they can force granting the permission because otherwise the app would not function. I don’t think that’s the case here.

Phone numbers do constitute personal data generally speaking, with that in mind you cannot '‘just’ process phone numbers (and by extension ask for that permission) without applying all the principles of the GDPR first, such as determining a legal basis.

A user on the Samsung community website suggested that it might be needed to make phone calls if you have a smartwatch. Another user posted a workaround, which might be of interest to you: Initially accept it and then immediately go into settings and revoke the permission from the Samsung Health app.[2]

The ePrivacy directive does not cover this. I believe that the upcoming ePrivacy Regulation (unfortunately) does not cover this either. The ePrivacy regulation will cover the collection of information from an end-user’s terminal equipment, but I am not sure whether this is in scope. Maybe someone else can chime in and answer this question?

  1. Art. 7(2) GDPR ↩︎

  2. ↩︎

1 Like

It’s a good question, and I think it probably depends on what exactly access is being granted to and what that is being used for. For the ePD cookie consent rules to apply there needs to be (a) access to or storage of information on (b) terminal equipment of the user and (c) that needs to be carried out using an “electronic communications network”. I don’t think an app using functionality on the phone meets (c) if no data is stored on or leaves the device, so
I don’t think (in the absence of any further information) that consent is needed for this.


Thanks guys for the very quick and elaborate replies! This is exactly what I needed to know.
Unfortunately Samsung has not decided to change this behaviour, despite receiving mostly 1-star reviews on their app for this lately.
They even added the obligation to sign in with an account.

I don’t like this at all. So I’m thinking about creating my own app that doesn’t share data with anyone unless you want to (opt-in with friends).

FAQ | Privacy Policy |  ToS