The offer actually sounded good: as part of its health management programme, a private health insurance company offered its policyholders health programmes such as coaching for diabetics, asthmatics and back problems. In order to target the patients in question, the health insurance company analysed the invoices submitted with regard to the diagnoses listed therein. It then invited the insured persons to take part in the programmes that suited them best. While it obtained consent under data protection law for new customers and for changes to the contracts of existing customers, the data of all other insured persons was analysed without their consent.

The data protection officer of the state of Rhineland-Palatinate considered this to be a violation of the General Data Protection Regulation (GDPR). The data analysis had been carried out without the prior consent of the data subjects. The data protection officer warned the insurance company and instructed it, setting a deadline, to carry out the data processing only on the basis of effective consent. The health insurance company appealed against this. The Federal Administrative Court (BVerwG) finally ruled in favour of the defendant state data protection officer. The court amended the judgements of the lower courts and dismissed the action.

However, the decision affects not only health insurance companies, but all data protection officers in municipal and state administrations that process health data. The decision is of great importance not only for the federal states and municipalities themselves, but also for municipal and state-owned companies, such as medical care centres. This is because it is not just a question of „whether“, but rather „how“ sensitive health data should be handled.

Increased protection of sensitive health data

In this specific case, the Federal Administrative Court has now ruled that insurance companies may not analyse and evaluate the health data of insured persons without their consent in order to identify potential participants for screening programmes. At the same time, the court has specified and tightened the requirements for the processing of sensitive health data (Ref.: 6 C 7.24 of 6 March 2026). The previous instances had been of the opinion that the processing of health data for the purpose of preventive healthcare was permissible.

The Federal Administrative Court now took a different view: analysing the invoices and diagnoses is not permitted without the consent of the data subjects. It is true that the data analysis does not violate the ban on processing health data, as the processing is necessary for the purpose of preventive healthcare in accordance with Art. 9 para. 1 GDPR. However, there is no legal basis under data protection law for the processing of the health data. The balancing of interests required under Art. 6 para. 1 subpara. 1 lit. f) GDPR works in favour of the insured persons. This also applies if preventive healthcare and the reduction of treatment costs are in the insured person's own interests. The special protection of their sensitive health data weighs more heavily in accordance with Art. 9 GDPR.

The court also justified its decision by stating that the screening programmes were not part of the „core medical area“. Added to this was the „wide range“ of the data processing in question. The insurance company had also failed to adequately inform its customers about the data processing. However, the court left open the question of whether data that was originally only collected for the purpose of billing and reimbursement may be further processed for other purposes.

High requirements for handling health data in practice

The Federal Administrative Court thus strengthens the right to informational self-determination of those affected and sets high standards for the processing of health data by responsible bodies.

Requirements and obligations for federal states and municipalities when processing sensitive health data

The decision therefore applies not only to the activities of private health insurers in the area of healthcare, but also to municipalities and federal states or their companies such as medical care centres.

This is because healthcare in the federal states and municipalities is an essential part of public services of general interest. For example, local authorities process health data in order to fulfil statutory tasks such as infection protection or school entry examinations. However, health data is also used for voluntary health promotion programmes, such as stress management and exercise promotion programmes in federal states and municipalities or health surveys to improve local services in cities.

Even if the latter are voluntary municipal services, the data protection requirements under the GDPR must be complied with when handling this sensitive health data.