GDPR Data Subject Rights for EU/EEA Users

What it is

EU, EEA, UK, and Swiss users have GDPR rights including access to their data, the right to have it deleted or corrected, the right to object to processing, and the right to take their data to another service.

Why it matters (compliance & governance perspective)

GDPR rights are among the strongest data protection rights globally and are legally enforceable; identifying Garmin Ltd. in Switzerland as the data controller clarifies which entity is legally accountable for data collected outside the U.S.

Consumer impact (what this means for users)

If you are based in the EU, EEA, UK, or Switzerland, Garmin is legally required to respond to your requests to access, correct, erase, or port your personal data, and you can withdraw consent for health and biometric data processing at any time, which should stop that specific processing.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision directly addresses GDPR (Regulation (EU) 2016/679) obligations including data subject rights under Articles 15 through 22, the right to withdraw consent under Article 7, and data portability under Article 20. UK GDPR applies similar standards for UK users post-Brexit. Switzerland's revised Federal Act on Data Protection applies to Swiss users. The designation of Garmin Ltd. (Switzerland) as data controller for non-U.S. users determines which supervisory authority has primary jurisdiction, which may be a Swiss authority given the Swiss establishment of the controller, with potential complexity regarding GDPR's one-stop-shop mechanism given Garmin Ltd.'s location outside the EU. GOVERNANCE EXPOSURE: Medium. The identification of Garmin Ltd. in Switzerland as the controller rather than a Garmin EU establishment may affect which supervisory authority has lead jurisdiction under GDPR's one-stop-shop mechanism, since the one-stop-shop applies to controllers with EU establishments. EU data subjects retain the right to lodge complaints with their local supervisory authority regardless. Compliance teams should verify whether Garmin has a designated EU representative under GDPR Article 27 and whether this affects supervisory authority relationships. JURISDICTION FLAGS: The designation of a Swiss controller creates complexity for EU/EEA users because Switzerland, while deemed adequate by the EU for data protection purposes, sits outside the GDPR one-stop-shop framework. UK users have separate rights under UK GDPR with the ICO as supervisory authority. Swiss users are governed by revFADP. CONTRACT AND VENDOR IMPLICATIONS: The identification of Garmin Ltd. as the controller should be reflected in all data processing agreements with subprocessors handling EU/EEA user data. If Garmin has EU-based subsidiaries processing data on behalf of Garmin Ltd., the intercompany data transfer arrangements should be reviewed for GDPR compliance. COMPLIANCE CONSIDERATIONS: Legal teams should confirm whether a GDPR Article 27 EU representative has been appointed by Garmin Ltd., verify that Standard Contractual Clauses for onward international transfers are updated to the 2021 European Commission versions, and ensure that data subject request fulfillment processes meet GDPR's one-month response deadline. The legal basis for each category of processing (consent, contract, legitimate interest) should be documented and made available to supervisory authorities on request.

Applicable regulations

Provision details

Other risks in this policy

• Health and Sensitive Data Collection high
• Precise GPS Location Data Collection high
• Third-Party Service Provider and Partner Data Sharing medium
• Garmin Connect Public Activity Visibility medium
• California CCPA and CPRA Rights medium
• International Data Transfers via Standard Contractual Clauses medium