CJEU - C‑21/23 - Lindenapotheke
| CJEU - C‑21/23 Lindenapotheke | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 4(1) GDPR Article 4(15) GDPR Article 9(1) GDPR Article 9(2) GDPR Article 79 GDPR Article 80 GDPR Article 82(1) GDPR §3 UWG |
| Decided: | 04.10.2024 |
| Parties: | |
| Case Number/Name: | C‑21/23 Lindenapotheke |
| European Case Law Identifier: | ECLI:EU:C:2024:846 |
| Reference from: | BGH I ZR 223/19 |
| Language: | 24 EU Languages |
| Original Source: | AG Opinion Judgement |
| Initial Contributor: | ao |
The CJEU held that information entered by customers when ordering pharmacy-only medical products constitutes health data, , even when the products is prescription free. Further, the CJEU found that the GDPR does not preclude national law enabling a controller’s competitor to challenge GDPR infringements in court as prohibited unfair commercial practice.
English Summary
Facts
The reference originates from a civil dispute between two competing pharmacists (the controller and DR) brought before a German regional court (Landgericht Dessau-Roßlau – LG Dessau-Roßlau). The controller sold non-prescription but pharmacy-only medicine through Amazon requiring customers to enter their name, delivery address and the information necessary for the individualization of the medicines.
On the basis of the German legislation on unfair commercial practices, DR sought an injunction prohibiting the controller from selling pharmacy-only but non-prescription medication through Amazon unless customers could express their consent to the data processing in advance. DR alleged that the sale through Amazon was unlawful under the GDPR as it did not ask for the prior consent of the customer’s as required under Article 9(2) GDPR for the processing of sensitive data.
The Regional Court and the Higher Regional Court (Oberlandesgericht Naumburg – OLG Naumburg) held that the marketing of pharmacy-only medication is contrary to paragraph 3 of a national law on unfair competition (§3 Gesetz gegen den unlauteren Wettbewerb (UWG)). Also, without explicit consent from the customers, the processing is prohibited under the GDPR since it entails the processing of special categories of personal data.
The controller then appealed the case to the Federal Court of Justice (Bundesgerichtshof - BGH) which referred to the CJEU the following preliminary questions:
1) Does the GDPR preclude national provisions which grant competitors the power to take action against the infringer for infringements of the GDPR by way of an action before the civil courts under the prohibition of unfair commercial practices?
2) Are the data of an online pharmacist’s customers in connection with online-orders for pharmacy-only (but not prescription-only) medicines health data within the meaning of Article 9(1) GDPR?
Advocate General Opinion
1. First question (Chapter VIII)
In order to answer the question of whether could make provision in their national law for alternative remedies to those established by the GDPR, the Attorney General (AG) states that first the identity of the benefiters must be determined. He states that none of the substantive provisions of the GDPR is intended to ensure free and undistorted competition between undertakings and to make them the beneficiaries the GDPR. As only data subjects or their representatives can bring actions under the GDPR, it is clear to him that data subjects are the only beneficiaries of protection granted by the GDPR.
The AG holds that others are able to bring actions based on national law only incidentally. Here the action was brought due to unfair competition of which an infringement of the GDPR is a consequence. With reference to C 252/21, he elaborates that the CJEU accepts that an infringement of the provisions of the GDPR may constitute an infringement of competition law. He states that as long as national actions do not undermine the system of remedies provided by the GDPR, they should be accepted. As the rights and remedies made available to the data subject under the GDPR are not compromised by an action being taken by a third party against a competitor, the AG concludes that such claim is admissible.
2. Data concerning health
For the AG, the determining factor for establishing whether certain personal data are data concerning health is that it is possible to draw inferences about the health status of the data subject. As this information constitutes the most private sphere of persons and may expose their vulnerabilities, the AG calls for a wide interpretation to the concept of “particular categories of personal data” of which data concerning health form part. However, he highlights that the assumption cannot be mere supposition, but must present a certain degree of certainty.
Further, he states that the identity of the controller may be the deciding factor in determining the status of data concerning health. An institution in the health sector with the competence to interpret the data can determine the classification of personal data, therefore it is up the court to analyse the substance of the data as well as the circumstances of processing. He gives an example of an order for paracetamol not allowing any inference to be drawn as to the precise state of a person. Further, the data subject could be ordering the medicine for someone else. He therefore concludes that the data of the customers of a pharmacist does not classify as data concerning health under Article 4(15) and Article 9 GDPR if only hypothetical or imprecise conclusions can be drawn about the data subject and it is for the referring court to verify.
Holding
1. First question (Chapter VIII)
The CJEU pointed out that the complaint was not brought by an affected person under Article 79 GDPR nor by an organisation representing them under Article 80 GDPR, but by a competitor to the controller. The court made reference to the AG opinion (point 80) which states that only data subjects, and not these competitors, are the addressees of the protection of personal data guaranteed by the GDPR.
However, the court highlighted that Article 80(2) GDPR does not preclude a national provision under which an association for the protection of consumers’ interests may bring an action against an alleged infringer. The CJEU recalled that a violation of the GPDR can not only affect data subjects but also third parties. This is reflected, inter alia, in Article 82(1) GDPR which provides for damages for “any person who has suffered material or non-material damages as a result of an infringement” of the GDPR.
The court stated that from the point of view of prohibiting the use of unfair commercial practices, these claims do not affect the objectives but may even reinforce the practical effectiveness of the GDPR and thus improve the protection of data subjects. Further, the provisions of Chapter VIII of the GDPR must be interpreted as not precluding national legislation which grants competitors the right to take a civil action for infringement of the GDPR in order to prevent unfair commercial practices.
2. Second question (Article 9 GDPR)
The court stated that if data relating to the purchase can be used to draw conclusions about the state of health of an identified or identifiable person, they are to be regarded as health data within the meaning of Article 4(15) GDPR.
The CJEU recalled that the definition of medical data is to be interpreted in a broad sense and therefore includes the processing of data which may indirectly reveal sensitive information. The CJEU clarified that the classification of data concerning health must apply regardless of whether the data in fact relates to another person, the accuracy of the data and the identity and intention of the controller. In regard to the data entered on an online platform in connection with the purchase of medical products, conclusions can be drawn about the state of health of the data subject within the meaning of Article 4(1) GDPR, regardless of their stated purpose and the accuracy of the information.
Differentiating according to the type of medicinal product concerned and whether its sale requires a medical prescription would not be consistent with the objective of the high level of protection required for sensitive data. The court explains that the risk of conclusions being drawn on a data subject’s health status cannot be eliminated. Therefore, the data entered by the data subjects in this case is classified as sensitive data as per Article 9(1) GDPR regardless of whether the information entered affects the user or another
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
