[fretn]

a few weeks ago my blood needed a checkup. They sent me the results by mail. The results where on a non password protected but 'unguessable' url. And the page ofcourse contained google analytics, I'm in the EU, I wonder if this is legal

[prox]

If they haven’t notified you, and hence you can’t/didn’t comply, it probably isn’t. Especially medical companies are scrutinized for following gdpr. You could make a case here to either the companies privacy officer, or your countries privacy watchdog.

https://gdpr-info.eu/art-39-gdpr/