The decision of the European Court of Justice (ECJ) clarifies, among other things, the extent to which competitors of a company can assert data protection violations under civil law and how the processing of personal health data in online trading is to be assessed.
Legal dispute between two competing pharmacists ends up before the BGH
The subject of proceedings C-21/23 was a dispute between two pharmacists regarding the sale of pharmacy-only but non-prescription medicines via the Amazon platform. Lindenapotheke sold its products via Amazon, whereby customers had to provide personal data such as name and delivery address as well as information required for individualization. A competitor filed an injunction against this distribution. The pharmacist claimed that the customers' consent to the processing of their health data had not been sufficiently obtained, which constituted a breach of Art. 9 GDPR.
The Regional Court and the Higher Regional Court of Naumburg ruled in favor of the competitor in the lower courts. They considered the sale to be an unlawful commercial act under the Unfair Competition Act (UWG). Lindenapotheke then appealed and the case ended up before the Federal Court of Justice (BGH). The BGH ultimately requested a preliminary ruling from the ECJ.
The proceedings focused on two legal questions raised by the BGH, which were answered by the ECJ:
- The legal standing of competitors in the event of data protection violations: Does the GDPR allow a company's competitors to bring civil claims for breaches of the regulation?
- Classification of data when ordering pharmacy-only medicines online: Are the data entered by the customer in the context of an online order (such as name, address and information on the individualization of the medicinal product) considered health data within the meaning of Art. 9 para. 1 judgment of the ECJ?
ECJ interprets health data broadly
The ECJ stated in case C-21/23 | Lindenapotheke:
- Competitors' right to sue for data protection violations
The ECJ has clarified that the provisions of Chapter VIII of the GDPR do not preclude a national regulation that enables competitors to assert infringements of the GDPR before the civil courts on the grounds of unfair commercial practices. This gives competitors the right to sue, even if they are not directly affected within the meaning of the GDPR.This decision is particularly important in the area of competition law, as data protection violations can now also be classified as anti-competitive behavior by competitors and prosecuted in court. According to the ECJ, this helps to strengthen the rights of data subjects and guarantee them a high level of protection. "In addition, this may prove to be particularly effective, as it can prevent numerous infringements of the General Data Protection Regulation", the ECJ continued.
- Classification of data when ordering pharmacy-only medicines online
On the second question, the ECJ ruled that data entered when ordering pharmacy-only but non-prescription medicines qualifies as health data within the meaning of Art. 9 para. 1 GDPR. It does not matter whether a medicine is subject to prescription or not. This applies regardless of whether the medicines are intended for the purchaser themselves or for third parties.
The ECJ clarified that health data must not only be directly available, but can also be indirectly derived from the information entered. The entry of names, addresses and medication information allows conclusions to be drawn about a person's state of health, which classifies this data as particularly worthy of protection within the meaning of the GDPR.
Reading tip: ECJ interprets "legitimate interest" in accordance with Art. 6 para. 1 lit. f GDPR
Companies beware: Competitors can also be punished for data protection violations
The ECJ's ruling has significant implications for online pharmacies and other companies that process sensitive health data:
- Increased liability due to legal standing of competitors
Companies must be prepared for the fact that data protection violations can be prosecuted not only by data subjects or data protection authorities, but also by competitors. This leads to an increased liability risk, as breaches of the General Data Protection Regulation can increasingly be seen as unfair business practices.For companies, this means increased scrutiny and compliance with data protection regulations, as economic competitors can also enforce compliance with the GDPR under civil law. This can lead to an increase in legal disputes, particularly in highly competitive markets such as the pharmacy sector.
- Raising awareness of health data
The decision makes it clear that companies that process personal data in the course of their business activities, which indirectly allow conclusions to be drawn about the state of health, must handle this data with particular care. According to Art. 9 GDPR, the processing of such health data requires either the express consent of the data subject or must be based on one of the exceptions listed in Art. 9 para. 2 GDPR, such as the provision of healthcare services.For online pharmacies, this means that they must ensure that effective consent to the processing of this data is obtained when collecting order data. It is not sufficient to obtain general declarations of consent. The consent must explicitly refer to the processing of health data.
The ECJ ruling underlines the importance of comprehensive data protection management in companies. Data protection violations can not only lead to high fines, but also to injunctions by competitors. Companies must therefore carefully review their internal processes, particularly with regard to consent and the processing of health data, and adapt them if necessary.
Source: Judgment of the Court of Justice in Case C-21/23 | Lindenapotheke