Skip to content

GDPR and Processing Health Data in Insurance Relationships: The Role of Statutory Legal Bases

Karin Sein, Gerald Spindler


The processing of health data is unavoidable in the insurance sector both in the pre-contractual phase for risk assessment as well as after the insured event has taken place to determine the insurer’s payment obligation. Health data processing is particularly relevant in the case of life, health and accident insurance but can also play a role in eg travel insurance. However, the processing of health data as sensitive data cannot be based on contract performance as there is no equivalent to Art. 6(1)(b) GDPR in Art. 9 GDPR that regulates the processing of sensitive data. Therefore, in some Member States insurance companies process health data based on consent. In other Member States, the processing is based on either insurance-specific national rules or some statutory legal basis in Art. 9(2) GDPR. In this article, we show, first, that consent-based processing of health data poses several problems in insurance relationships. We will, then, give a comparative overview of several jurisdictions in the EU and show that different Member States have either adopted different national rules for health data processing in the insurance sector and/or use different legal bases in Art. 9(2) GDPR. We conclude that there is no uniform understanding in the EU on how and on which legal basis health data can be processed in the insurance relationships. To overcome this legal uncertainty, we propose to introduce a provision in the GDPR allowing insurers to process health data to the extent necessary for the purposes of the conclusion of an insurance contract, the determination of the insurer's payment obligation and the recovery of recourse claims – using the Dutch legislation as a blueprint.

Karin Sein, Professor at University of Tartu. Gerald Spindler, Professor at University of Goettingen.


Lx-Number Search

(e.g. A | 000123 | 01)

Export Citation