[fragileone]

Under article 6 of the GDPR this is allowed since "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;", thus informed consent isn't necessary and opt-out is legal.

Whilst legally permissible, being opt-out with highly sensitive information is detestable and shows the GDPR doesn't go far enough.

[Silhouette]

Article 6 is not the one that really matters here, because we're talking about health-related personal data, which is one of the special categories. Article 9 is the main one dealing with those and it imposes significantly stronger requirements. In particular, the various conditions under which it may be legal to process that data under Article 9 make repeated references to requirements for safeguards and professional secrecy. They still don't seem to outright prohibit general data lakes and opt-out arrangements, though.