§ 37 BDSG
Automated individual decision-making including profiling
(1)The right pursuant to Article 22 Subsection (1) of Regulation (EU) 2016/679 not to be subject to a decision based solely on automated processing shall not apply, in addition to the exceptions referred to in Article 22 Subsection (2)(a) and (c) of Regulation (EU) 2016/679, where the decision is made in the context of the provision of benefits under an insurance contract and 1 the request of the data subject has been granted or; 2 the decision is based on the application of binding remuneration rules for medical treatment and the controller takes appropriate measures to safeguard the legitimate interests of the data subject in the event that the application is not fully granted, which shall include at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision; the controller shall inform the data subject of these rights no later than at the time of the notification that the application of the data subject has not been fully granted.
(2)Decisions under Subsection (1) may be based on the processing of health data within the meaning of Article 4 No. 15 of Regulation (EU) 2016/679. The controller shall provide for appropriate and specific measures to safeguard the interests of the data subject pursuant to Section 22 Subsection (2), second sentence.