BVerwG - 6 C 7.24

Summary

The German Federal Administrative Court ruled that while processing health data for preventive programs by insurance companies can fall under the GDPR's preventive healthcare exemption (Article 9(2)(h)), such processing still requires a legal basis under Article 6(1) GDPR. The court found that the specific processing in question lacked this necessary legal basis, overturning lower court decisions.

Full text

Help BVerwG - 6 C 7.24: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 08:57, 3 June 2026 view sourceAv (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators17 editsTag: Visual edit← Older edit Latest revision as of 09:17, 10 June 2026 view source Av (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators17 editsTag: Visual edit Line 64: Line 64: }}}} The Federal Administrative Court held that the processing of health data by a private health insurance association when offering screening and preventive programs fell under the definition of preventive healthcare within the meaning of [[Article 9 GDPR#2h|Article 9(2)(h) GDPR]]. The processing lacked legal basis under [[Article 6 GDPR|Article 6(1)(f) GDPR.]]The Federal Administrative Court held that the processing of health data by a insurance company offering preventive programs fell under the preventive healthcare exemption in [[Article 9 GDPR#2h|Article 9(2)(h) GDPR]]. However, the relevant processing lacked a legal basis under [[Article 6 GDPR|Article 6(1) GDPR.]] == English Summary ==== English Summary == Latest revision as of 09:17, 10 June 2026 BVerwG - 6 C 7.24 Court: BVerwG (Germany) Jurisdiction: Germany Relevant Law: Article 6(1)(f) GDPR Article 9(1) GDPR Article 9(2)(h) GDPR Decided: 06.03.2026 Published: 20.05.2026 Parties: National Case Number/Name: 6 C 7.24 European Case Law Identifier: Appeal from: OVG Rheinland-Pfalz (Germany)10 A 10294/23 Appeal to: Original Language(s): German Original Source: REWIS (in German) Initial Contributor: av The Federal Administrative Court held that the processing of health data by a insurance company offering preventive programs fell under the preventive healthcare exemption in Article 9(2)(h) GDPR. However, the relevant processing lacked a legal basis under Article 6(1) GDPR. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts An insured person (the data subject) lodged a complaint with a DPA in March 2019 against a mutual health insurance association (the controller) that offered screening and preventive programs for i.e. diabetes, asthma and back problems. The data subject stated the controller had violated Articles 5(1)(a), 6(1) and 9(1) GDPR by analysing invoices containing health data of its insured persons for reimbursement in connection with offering individualised preventive programs without first obtaining consent. The DPA issued the controller a reprimand in February 2022 and ordered it to only carry out such processing operations based on consent. The administrative court revoked the DPA decision in March 2023 in response to the appeal brought against it. The higher administrative court dismissed the DPA’s subsequent appeal in June 2024. It considered the challenged DPA decision to be materially unlawful: the court held that the processing was necessary for the purposes of preventive medicine and thus fell under the exception to the prohibition of the processing of sensitive categories of personal data in Article 9(2)(h) GDPR. The DPA appealed the court’s decision to the German Federal Administrative Court. The dispute before it concerned whether the processing operations carried out by the controller were covered by exception in Article 9(2)(h) GDPR and whether there was a legal basis for the processing operations under Article 6(1)(f) GDPR. Holding The German Federal Administrative Court held that the exception in Article 9(2)(h) GDPR was applicable to the processing operations in connection with the screening and preventive programs offered by the controller. The court amended the judgments of the lower courts and dismissed the controller’s claims. The DPA’s appeal was justified. First, the court found that Article 9(2)(h) GDPR was applicable to the present case despite the fact that the controller did not directly provide the health-related services itself, but only arranged them. According to the court, a systematic reading of Article 9(2)(h) supports the view that the concept of preventive healthcare covers the entirety of measures aimed at preventing illness as far as possible, not only the narrow area of a doctor-patient relationship. The necessity criterion was also satisfied: the controller’s interest in the processing was not limited to self-serving economic interests, as improved healthcare will regularly also reduce the financial burden on a large number of insured persons. Furthermore, the processing was carried out on the basis of Member State law in accordance with Article 9(2)(h). Second, the court held that there was no legal basis for the processing of personal data under Article 6(1) GDPR and amended the appealed judgment in this regard. In the present case, Article 6(1)(f) was the only possible legal basis as no consent of the data subject had been obtained. However, the controller had not informed the data subject of its legitimate interests as required by Article 13(1)(d) GDPR. In addition, the court ruled that the balancing test under Article 6(1)(f) GDPR could only lead to the conclusion that the interests of the data subject outweigh the legitimate interests of the controller. This was supported by the higher level of protection of sensitive health data, the wide range of data processing by the controller, and the fact that the health care programs offered by the controller were not a part of the core area of medical care. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the German original. Please refer to the German original for more details. Federal Administrative Court Case No. 6 C 7.24 March 6, 2026 Processing of diagnoses in invoices submitted for reimbursement by private health insurance companies for the purpose of offering preventive care programs REWIS: LEGAL TECHNOLOGY URL: https://rewis.io/s/u/x82/ Database for case law of the Federal Administrative Court Information provided without guarantee. 6th Senate © REWIS UG (limited liability) Case No. 6 C 7.24 of March 6, 2026 | rewis.io Case No. 6 C 7.24 of March 6, 2026 Judgment | Federal Administrative Court | 6th Senate Principle 1. Preventive care and health programs offered by private health insurance companies such as coaching programs for diabetes, asthma, or back problems, fall under the definition of preventive healthcare within the meaning of the exception to the prohibition on processing health data (Article 9(1) GDPR) regulated in Article 9(2)(h) GDPR. 2. As the legal basis for data processing required by Article 9(2)(h) GDPR, Section 22(1)(1)(b) of the German Federal Data Protection Act (BDSG) does not violate either the prohibition on repeating EU law provisions or the requirements of legal certainty. ``` 3. Section 22 Paragraph 1 No. 1 Letter b of the German Federal Data Protection Act (BDSG) does not require that employees of a private health insurance company who are involved in processing particularly sensitive data be subject to a specific professional confidentiality obligation in addition to Section 203 Paragraph 1 No. 7 of the German Criminal Code (StGB). Judgment Upon the defendant's appeal, the judgment of the Higher Administrative Court of Rhineland-Palatinate of June 28, 2024, and the judgment of the Administrative Court of Mainz of March 16, 2023, are amended. The action is dismissed. The plaintiff shall bear the costs of the proceedings in all three instances. Facts 1. The parties are in dispute regarding the permissibility under data protection law of the analysis of invoices submitted by its insured members for reimbursement, carried out by a private health insurance company for the purpose of offering individualized preventive care programs. ... 2 The plaintiff, a private m

Entities