Ten blog korzysta z plików cookies na zasadach określonych here
Close
10.10.2024
FILM, MEDIA & GAMING

The new rules for the processing of personal data by online pharmacies

On 4 October 2024, the Court of Justice of the EU ruled in Case C-21/23, which will significantly impact e-commerce businesses, particularly pharmacies selling online. The Court decided that the information entered in ordering medicines online, such as name, delivery address and elements necessary for the individualisation of medicinal products, constitutes ‘health data’ within the meaning of the GDPR, even if the sale does not concern prescription medicinal products.

Circumstances of the ruling

The Court was hearing the case following a request for a preliminary ruling from the Federal Court of Justice in Germany. The dispute before the German courts began with a lawsuit filed by the owner of an online pharmacy, who demanded that his competitor, which sells medicinal products on a trading platform, be ordered to stop selling medicinal products, the sale of which is reserved for pharmacies, until it is guaranteed that the customer can give prior consent to the processing of his “health data”. In Plaintiff’s view, marketing medicinal products whose sale is restricted to pharmacies on the sales platform was unfair due to the failure to comply with the legal requirements to obtain customer consent required by data protection legislation. It is worth noting that, as part of the ordering process, customers only provided their name, delivery address and the elements necessary to individualise these medicinal products.

The court of first instance accepted the claim and the appeal was dismissed. The court of appeal held that the marketing on a trading platform of medicinal products, the sale of which is reserved for pharmacies, constitutes an unfair practice and therefore against German law. According to the court, such placing of medicinal products on the market leads to the processing of health data, which is prohibited under Article 9(1) of the GDPR, without the express consent of the customers purchasing the medicinal products.

Question for a preliminary ruling

Following the dismissal of the appeal, the Defendant retailer brought a cassation appeal before the Federal Court of Justice (Bundesgerichtshof), which held that the resolution of the dispute depended on the interpretation of the provisions of the GDPR and Directive 95/46 and consequently referred a preliminary question to the CJEU: does the pharmacist’s customer data provided when placing an order on an online sales platform for non-prescription medicines constitute health data or is it therefore a special category of sensitive personal data within the meaning of the GDPR?

The German court also asked the CJEU to rule on whether the provisions of the RODO Regulation preclude national legislation that grants competitors the right to bring an action against the perpetrator by way of a civil court action for breach of the General Data Protection Regulation in terms of the prohibition of unfair commercial practices?

CJEU ruling

Responding to the questions raised, the Court ruled that the information that customers enter when ordering medicinal products online, such as their name, delivery address and elements necessary for the individualisation of medicinal products, constitute data concerning health within the meaning of those provisions, even if the sale of those medicinal products is not subject to a medical prescription.

The Court noted that, in the case circumstances, it must be determined whether the data indicated in the order are likely to reveal information about the health of the ordering persons and consequently constitute health data within the meaning of Article 9 of the GDPR. In the Court’s view, the concept of ‘data concerning health’ should be interpreted broadly, as the provisions concerning this category of data aim to ensure a high level of protection of the fundamental rights and freedoms of natural persons, in particular their privacy.

In the Court’s view, personal data must be capable of revealing, by means of an intellectual reconciliation or deduction operation, information about the data subject’s state of health to qualify as health data within the meaning of the GDPR. Thus, processing personal data that may indirectly disclose sensitive information about an individual should not be excluded from the enhanced protection regime provided by these provisions for a specific category of data.

The CJEU’s decision may seem controversial. The German Court referring the question for a preliminary ruling has already pointed out that his Response is not evident in a situation where the ordered medicinal products are not issued on a medical prescription. It cannot be excluded that these medicinal products will be ordered not for the customers themselves but for third parties who will not be identifiable.

It is worth noting that in his opinion on the case at hand, the Advocate General of the Court of Justice of the EU, Maciej Szpunar, considered that the data referred to did not constitute ‘health data’ of the customers of the online pharmacy, as it did not make it possible to establish their state of health. He reasoned, in particular, that a person who buys such medicines online will not always use them and sometimes orders them as a precautionary measure, just in case they do not show any ailments.

Responding to the second question posed, the Court ruled that the provisions of the GDPR Regulation must be interpreted as not precluding national legislation that grants the competitors of an alleged data protection violator standing to bring an action against it before the civil courts for breaches of the Regulation and based on the prohibition of unfair commercial practices. This means additional risks for entrepreneurs. Indeed, in addition to being liable before a supervisory authority for violations of the rules on processing personal data, companies may then face lawsuits from their competitors.

Implications of the ruling

The Court’s ruling will undoubtedly have significant implications for online pharmacies and e-commerce platforms. The CJEU has significantly ‘broadened the definition’ of health data under the GDPR by also recognizing as such data collected during orders in online pharmacies – the customer’s name, delivery address and information necessary for the individualisation of medicinal products (even in the case of non-prescription medicines).

As a consequence, entities selling medicines online will be processing ‘special categories of personal data’ of their customers – health data – which implies the need to take a number of measures, including, in particular: introducing stricter security measures for the processing of personal data (technical and organisational), obtaining the explicit consent of customers ordering medicines for the processing of their health data, reviewing and updating personal data protection documentation to ensure transparency in the collection, use and protection of health data, as well as many other obligations. That means more risk on the part of entrepreneurs regarding the processing of personal data and potentially more stringent liability in the event of a personal data breach.

Conclusion

The CJEU ruling has significant consequences for the e-commerce sector, particularly online pharmacies and those operating on trading platforms. The broad definition of ‘health data’ and the ‘acquiescence’ of lawsuits against competitors based on breaches of the GDPR in the context of unfair market practices will require businesses to change their approach and take into account the new risks to their business.

#CJEU ruling #GDPR #online pharmacies #personal data

Would you like to be informed about the latest blog posts?

  • - Just provide your e-mail address and receive notifications about the latest posts on the SKP/IPblog blog directly to your inbox
  • - We will not send you spam messages

The administrator of your personal data is a SKP Ślusarek Kubiak Pieczyk sp.k. with its registered office in Warsaw, at ul. Ks. Skorupki 5, 00-546 Warszawa.

We respect your privacy, therefore the data provided to us will not be processed and made available outside the SKP for purposes other than those included in the Terms of Service. Detailed provisions regarding our IP Blog, including a catalog of your rights related to the processing of personal data, can be found in the Privacy Policy.