23 octobre 2024
The ECJ ruling in Lindenapotheke from 4 October 2024 clarifies right of competitors to sue for GDPR violations and what constitutes health data.
Case C-21/23 before the European Court of Justice concerns a dispute between two pharmacy operators in Germany. One of the parties sold non-prescription but pharmacy-only medicines via an online marketplace platform. The competitor of this seller filed a lawsuit, claiming that the seller had violated data protection regulations by processing customers’ health data without obtaining the required consent. The key questions before the court were whether the data collected—such as name, delivery address, and ordered medicines—constituted “health data” under Article 9 GDPR and, if yes, whether competitors could take legal action in relation to any related GDPR breaches. Another issue was whether the sale of non-prescription medicines falls under the scope of Article 9 GDPR.
The ECJ ruled on two major points:
The ECJ clarified that the GDPR does not preclude national legislation that allows competitors to take action against data protection violations, even where they are not impacted data subjects, controllers or processors – essentially where they are third parties as far as the processing operations are concerned. This applies particularly when the breach also constitutes an unfair commercial practice: if the competitor is disadvantaged by the breach they may take legal action against the alleged offender. Therefore, alongside the rights of data subjects and the supervisory authorities, competitors can also pursue civil proceedings for data protection violations subject to national law.
The ECJ further ruled that customer data collected when purchasing non-prescription medicines – such as name, delivery address, and product details – is considered “health data” for GDPR purposes. The ECJ said that even basic information about standard pharmaceutical products can reveal information about customer health and is therefore special category data under Article 9 GDPR. An exemption to the general prohibition on processing special category data is therefore required (in this case, explicit consent to the processing). This analysis by the ECJ suggests a broad interpretation of what constitutes health data beyond pure health-related information.
This ruling has broad implications for businesses operating in the online health product and medicine market, as well as for handling personal data. Organisations should consider the following points:
This ruling sheds light on what constitutes health data. It also underscores the importance of GDPR compliance not only in relation to customers but also in relation to competition with other businesses, as well as the correlation between data protection and consumer protection law. The ECJ said this kind of action actually strengthens data protection in that it provides another avenue by which data subject rights can be protected as GDPR violations can be successfully challenged not only by affected individuals but also by competitors.