A health insurance company’s initiative to offer tailored preventative health programs to customers, based on analysis of their past claims data without their consent, has been struck down by Germany’s Federal Administrative Court. The ruling overturns previous instances that had deemed such data processing lawful (Judgment of 06.03.2026, Ref. 6 C 7.24).
A Controversial Decision
The practice was not problematic for customers who had modified or taken out new contracts, as their consent had been obtained. However, the Federal Administrative Court’s decision is critical regarding the remaining customers. The insurance company analyzed their past claims without their consent and subsequently sent them invitations to targeted coaching programs tailored to their health conditions.
Two previous instances had already addressed whether such measures constituted a violation of the GDPR, ruling in favor of the insurance company. These courts found that the data usage met the requirements for data processing, was based on a suitable legal basis under Art. 9 Para. 2 lit. H GDPR (Art. 22 Para. 1 No. 1 lit. B BDSG), and was conducted confidentially. The interest in prevention justified the data processing, rendering the order issued by the Data Protection Officer of Rhineland-Palatinate in February 2022, aimed at restricting the processing of customer data without their consent, ineffective.
However, the Federal Administrative Court disagreed, overturning the previous decisions and dismissing the insurance company’s claim, despite acknowledging the legitimacy of prevention in principle. The court reasoned that this alone was insufficient to justify such a measure given the particularly protected nature of health data under Art. 9 GDPR. As preventative programs are not considered part of the core medical healthcare area, and the insurance company had not adequately informed its insured individuals about the specific use of their data as required by Art. 13 Para. 1 lit. D GDPR, the customers’ interest in protecting their data outweighed the insurance company’s interest. The data analysis was extensive, encompassing customers whose health did not require prevention, creating a disproportionate risk to privacy without benefiting all those affected.
Legal Assistance Available
Do you necessitate legal advice? Call us for a free initial assessment or use our contact form.
What to Take Away From This Decision
This final ruling reinforces the need to obtain clear consent from those affected and strengthens the importance of the GDPR, even in the context of public health goals. The Federal Administrative Court acknowledges that the financial interests of the insurance company do not conflict with the importance of such measures for the common good, but finds that the fundamental rights of customers outweigh the entrepreneurial freedom of the insurance company, as outlined in Art. 6 Para. 1 Subpara. 1 lit. F GDPR.
The WBS Expertise
This decision, and those of the previous instances, demonstrate that the scope of data protection continues to be refined. Its rapid development requires continuous monitoring. Whether you are personally affected or represent a legal entity, we are happy to support you with advice, assistance, or to answer your questions.
hke
