Court case 6 C 7.24 – Court Ruling (Germany, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled that a health insurance company could analyze health data for preventive programs without needing consent. This decision is important because it shows that certain health data processing can be allowed under specific conditions. Small businesses in the health sector should understand the exceptions to consent requirements when handling sensitive data.
What happened
A court found that a health insurance company analyzed health data for preventive programs without needing consent.
Who was affected
Insured persons whose health data was analyzed by the health insurance company were affected.
What the authority found
The court decided that the processing of health data was necessary for preventive medicine, falling under an exception in GDPR.
Why this matters
This ruling indicates that courts may allow health data processing without consent in specific cases. Companies in the health sector should review their data processing practices to ensure compliance with these exceptions.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
An insured person (the data subject) lodged a complaint with a DPA in March 2019 against a mutual health insurance association (the controller) that offered screening and preventive programs for i.e. diabetes, asthma and back problems. The data subject stated the controller had violated Articles 5(1)(a), 6(1) and 9(1) GDPR by analysing invoices containing health data of its insured persons for reimbursement in connection with offering individualised preventive programs without first obtaining consent. The DPA issued the controller a reprimand in February 2022 and ordered it to only carry out such processing operations based on consent. The administrative court revoked the DPA decision in March 2023 in response to the appeal brought against it. The higher administrative court dismissed the DPA’s subsequent appeal in June 2024. It considered the challenged DPA decision to be materially unlawful: the court held that the processing was necessary for the purposes of preventive medicine and thus fell under the exception to the prohibition of the processing of sensitive categories of personal data in Article 9(2)(h) GDPR. The DPA appealed the court’s decision to the German Federal Administrative Court. The dispute before it concerned whether the processing operations carried out by the controller were covered by exception in Article 9(2)(h) GDPR and whether there was a legal basis for the processing operations under Article 6(1)(f) GDPR. The German Federal Administrative Court held that the exception in Article 9(2)(h) GDPR was applicable to the processing operations in connection with the screening and preventive programs offered by the controller. The court amended the judgments of the lower courts and dismissed the controller’s claims. The DPA’s appeal was justified. First, the court found that Article 9(2)(h) GDPR was applicable to the present case despite the fact that the controller did not directly provide the health-related services itself, but only arranged the
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 6 C 7.24 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 6 C 7.24 - Germany (2026). Retrieved from cookiefines.eu
Last updated: