European Union

My health data was shared with my insurance company without permission. What can I do?

72 hours
Breach reporting deadline
€20M
Max GDPR fine
Explicit consen
Required for health data
1 month
Response time for requests
The Short Answer

You have the right to object to your health data being shared with your insurance company without your explicit consent under EU law, and you can file a complaint with your national data protection authority.

What the Law Says

Under the General Data Protection Regulation (GDPR), health data is classified as 'special category data' and receives heightened protection. Sharing it without your explicit, informed, and freely given consent is generally unlawful.

Article 9(1) of the GDPR states that processing of personal data revealing health information is prohibited unless one of the specific exceptions in Article 9(2) applies. Insurance companies cannot rely on 'legitimate interests' or 'contractual necessity' alone to justify processing your health data — they must obtain your explicit consent, unless another narrow exception (e.g., legal obligation or substantial public interest) applies and is strictly necessary.

Recital 53 clarifies that 'the processing of personal data for the purposes of preventive or occupational medicine... or the provision of health care or treatment' may be permitted under certain conditions — but this does not extend to commercial insurance risk assessment without consent.

You also have the right to withdraw consent at any time (Article 7(3)), the right to object to processing (Article 21), and the right to lodge a complaint with a supervisory authority (Article 77).

Statutory Text

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

Regulation (EU) 2016/679, Art. 9(1) — Prohibition of processing special categories of personal data
Statutory Text

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

Regulation (EU) 2016/679, Art. 7(1) — Conditions for consent
Statutory Text

The data subject shall have the right to withdraw his or her consent at any time.

Regulation (EU) 2016/679, Art. 7(3) — Withdrawal of consent

What to Do

1

Contact your insurer in writing to request confirmation of what health data was shared, the legal basis used, and to withdraw any purported consent.

2

File a formal complaint with your national Data Protection Authority (e.g., CNIL in France, ICO in the UK pre-Brexit, or your country’s DPA — find yours at https://edpb.europa.eu/about-edpb/about-edpb/members_en).

3

Request access to your personal data using a GDPR Subject Access Request (SAR) — the insurer must respond within one month.

4

If you suffered harm (e.g., denial of coverage or higher premiums), consider seeking compensation through national courts.

Sources

statuteRegulation (EU) 2016/679, Art. 9(1) — Prohibition of processing special categories of personal datastatuteRegulation (EU) 2016/679, Art. 7(1) — Conditions for consentstatuteRegulation (EU) 2016/679, Art. 7(3) — Withdrawal of consentguidanceEDPB — List of EU Data Protection Authorities

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.