In its ruling of October 4, 2024(ECJ, Ref.: C-21/23), the European Court of Justice answered two questions relevant to data protection law: firstly, whether competitors can challenge data protection violations under competition law and, secondly, whether order data from the sale of pharmacy-only but non-prescription medicines already constitutes health data.
What was the specific case about?
The starting point was a legal dispute between two pharmacy operators. The background was the sale of pharmacy-only medicines via an online platform. Customers had to enter data such as their name, delivery address and information on the individualization of the ordered product. The ECJ was asked to clarify whether such information should be classified as health data under data protection law and whether competitors may sue for GDPR violations.
Why is this health data?
The ECJ interprets the term “health data” broadly. The decisive factor is not whether information proves the state of health with certainty. Rather, it is sufficient that conclusions about a person’s state of health can be drawn from the data through mental association. This is precisely the case with orders for pharmacy-only medicines. Therefore, the customer data entered when ordering online can already constitute health data for online pharmacies – even if the medicine does not require a doctor’s prescription.
What does this mean in practice?
For operators of online pharmacies, the decision is a clear warning signal. Anyone processing such data falls within the scope of Art. 9 para. 1 GDPR. The processing of special categories of personal data is generally prohibited, unless an exception under Art. 9 para. 2 GDPR applies.
The ECJ did not make a blanket decision that only explicit consent is permissible in every case. However, the decision clearly shows that providers must examine and document the legal basis of their data processing very carefully. Where no viable exception applies, explicit consent will generally be the obvious choice. This conclusion follows from the classification as health data and from the system of Art. 9 GDPR.
Competitors may pursue GDPR violations
The first part of the ruling is also particularly relevant: The provisions of the GDPR do not preclude national regulations according to which competitors can pursue GDPR infringements before civil courts via fair trading law. This is explosive for Germany because it leaves the route via Section 8 (3) No. 1 UWG open in principle. Data protection law is therefore not only the law of supervisory authorities and data subjects, but can also be a risk under competition law.
Frequently asked questions
Is order data from online pharmacies always health data?
Not in every individual case, but according to the ECJ, regularly if the order details allow conclusions to be drawn about the state of health. This applies in particular to pharmacy-only medicines – even without a prescription.
Can competitors now issue warnings for GDPR violations?
The UWG permits the prosecution of GDPR infringements under competition law. The prerequisite is that the infringement constitutes a commercial act. A case-by-case assessment remains necessary.
What do online pharmacies have to do now?
Order processes, consent texts, data protection notices and deletion concepts should be reviewed and adapted in a timely manner. For health data, explicit consent or an exception pursuant to Art. 9 para. 2 GDPR is generally required.
What this means in practice
The decision raises awareness of the fact that health data may be available to online pharmacies much earlier than many companies had previously assumed. It is not just diagnoses or prescriptions that are sensitive. Even the combination of product reference, order details and customer assignment can be sufficient. In practice, this means that ordering processes, consent texts, data protection notices, technical access rights and deletion concepts should be reviewed promptly. The risk of litigation increases significantly, particularly because competitors can now also take action against infringements.
