The decision of the German Federal Court of Justice (Bundesgerichtshof - BGH) in the “Lindenapotheke” case (BGH, judgment of 23 January 2025, I ZR 222/19) follows the judgment of the ECJ in Case C-21/23 of 4 October 2024 and confirms for Germany that competitors can sue for data protection violations. The ruling also clarifies the scope of GDPR with respect to health data.

Background

The legal dispute before the BGH concerns a dispute between two pharmacy operators in Germany. One of the parties sold prescription-only, but pharmacy-only, medicines via an online platform. A competitor of the seller filed an injunction suit because, in his opinion, the seller had violated data protection regulations by processing customers' health data without consent. The Dessau-Roßlau Regional Court (LG Dessau-Roßlau) found in favor of the plaintiff at first instance, and the Naumburg Higher Regional Court (OLG Naumburg) dismissed the defendant's appeal. The BGH referred the questions to the ECJ on 12 January 2023, asking whether the data collected from customers when they place an order – such as name, delivery address and ordered medication – constitute health data within the meaning of Art. 9 GDPR and, if so, whether competitors can take legal action in relation to related violations of the GDPR. The ECJ ruled that the GDPR does not preclude competitors from pursuing data protection violations under Member States law and that the specific order data constitutes health data.

The decision of the Federal Court of Justice

Unsurprisingly, the BGH ruled on the basis of the ECJ decision that competitors are entitled to bring an action for injunctive relief under section 8(3) No. 1 of the Act against Unfair Competition (UWG) to seek injunctive relief in the event of data protection violations. This applies to all violations of the provisions of the GDPR that constitute market conduct rules.

Furthermore, the BGH substantiated the ECJ ruling on the classification of order information for non-prescription medicines as health data. The BGH is of the opinion that in the present case, the specific drug in connection with the data subject as the person placing the order constitutes health data within the meaning of Art. 9 GDPR and may therefore only be processed to a limited extent. In the specific case of an order via an online marketplace, the seller should have obtained the buyer's consent to process the order data, which he did not do. According to the BGH, processing of the buyer’s data without the required consent within the meaning of Art. 9 para. 1 GDPR constitutes a violation of a market conduct rule within the meaning of sections 3, 3a UWG, so that competitors can assert claims for injunctive relief under sections 8 (3) No.1 UWG.

Practical recommendation

Following the ECJ decision C-21/23, it became apparent that various to-dos for companies would follow as a result of these proceedings. Specifically:

• Review legal bases: Sellers must check not only when selling prescription drugs, but also when selling non-prescription drugs, whether there is an effective legal basis for processing personal data in the ordering process. If there is no legal basis for the processing, such a violation is likely to occur in any case. Due to the broad interpretation of the courts, it should also be checked whether the threshold for processing health data is exceeded for goods or services that are already related to health.
• Check deletion of retained data: If personal data has been processed in the past without a sufficient legal basis, it must be deleted immediately. Caution: Any existing retention obligations, e.g. under tax law, must still be observed.
• Adjust technical and organizational measures: If certain data has previously been incorrectly not qualified as health data, the relevant technical and organizational measures for processing must be reviewed and adjusted to ensure the required level of protection.
• Marketplaces: Marketplace operators are required to provide their sellers with the technical means to offer the necessary consent for the processing of health data in the checkout process. Otherwise, sellers may be able to claim damages from the marketplace operator. Marketplace operators must take particular care with regard to the processing of health data in hybrid marketplaces.