BGH - I ZR 223/19
From GDPRhub
| BGH - I ZR 223/19 | |
|---|---|
 | |
| Court: | BGH (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 9 GDPR |
| Decided: | 27.03.2025 |
| Published: | 01.05.2025 |
| Parties: | |
| National Case Number/Name: | I ZR 223/19 |
| European Case Law Identifier: | |
| Appeal from: | CJEU C-21/23 |
| Appeal to: | Not appealed |
| Original Language(s): | German |
| Original Source: | Rewis (in German) |
| Initial Contributor: | tjk |
The Federal Court of Justice held that when a customer orders pharmacy-only medications via a pharmacist's seller's account on Amazon, the processing of that order data constitutes health data within the meaning of Article 9 GDPR.
English Summary
Facts
A pharmacist sold non-prescription but pharmacy-only medicine through Amazon requiring customers to enter their name, delivery address and the information necessary for the individualization of the medicines.
On the basis of the German Act against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – UWG), a competitor sought an injunction prohibiting the controller from selling pharmacy-only but non-prescription medication through Amazon unless customers could express their consent to the data processing in advance. The competitor alleged that the sale through Amazon was unlawful under the GDPR as it did not ask for the prior consent of the customer’s as required under Article 9(2) GDPR for the processing of sensitive data.
The Regional Court granted the claim. The first Court of Appeal dismissed the defendant's appeal. The defendant pursued its motion to dismiss the action with the appeal granted by the Court of Appeal.
The BGH stayed the proceedings and referred the case to the CJEU for a preliminary ruling.
The CJEU on 4 October 2024 held in C-21/23, Lindenapotheke that information entered by customers when ordering pharmacy-only medical products constitutes health data, even when the products are prescription-free. The Court further found that the GDPR does not preclude national law enabling a controller’s competitors to challenge GDPR infringements in court as prohibited unfair commercial practices.
Holding
The court implemented the CJEU's decision. Thus, it held, that if a customer orders prescription-only medications via a pharmacist's account on Amazon, health data is collected and processed within the meaning of of the Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG) and Article 9 GDPR.
Additionally, the court held, that the processing of order data without express consent pursuant to Article 9(2)(a) GDPR constitutes a violation of a market conduct regulation pursuant to the German Unfair Competition Act (Gesetz gegen den unlauteren Wettbewerb - UWG), for which the pharmacist is liable under and against which a competitor can bring legal action before the civil courts under the prohibition of unfair business practices.
Comment
The court held, that without express consent such processing constitutes a violation of a market conduct regulation pursuant the German Unfair Competition Act (UWG) against which a competitor can bring legal action before the civil courts.
By judgement of the same date in I ZR 222/19 the court also ruled on area specific drug law relating to the selling of pharmacy-drugs on online marketplaces.
Also by judgement of the same date in BGH - I ZR 186/17 the court ruled on a similar question about the ability of consumer protection organisations to make use of Article 80(2) GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Federal Court of Justice
I ZR 223/19
dated March 27, 2025
Medicine Order Data II
REWIS: LEGAL TECHNOLOGY
Database for Case Law
Information without guarantee
© REWIS UG (limited liability)
URL: https://rewis.io/s/u/KQl3/
Federal Court of Justice
1st Civil Senate
1
2
I ZR 223/19 dated March 27, 2025
Judgment | Federal Court of Justice | 1st Civil Senate
Guiding Principle
Medicine Order Data II
1. If a customer orders prescription-only medications via a pharmacist's account on the online platform "Amazon Marketplace" (Amazon), health data is collected and processed within the meaning of Section 4 (1) of the Federal Data Protection Act (BDSG) (old version).
2. The processing of order data without express consent pursuant to Art. 9 (2) (a) GDPR constitutes a violation of a market conduct regulation pursuant to Section 3a of the German Unfair Competition Act (UWG), for which the pharmacist is liable under competition law pursuant to Section 8 (2) UWG, and against which a competitor can bring legal action before the civil courts under the prohibition of unfair business practices.
Operative part
The appeal against the judgment of the 9th Civil Senate of the Naumburg Higher Regional Court of
November 7, 2019, is dismissed at the defendant's expense.
As a matter of law
Facts
The plaintiff operates a pharmacy in M. . The defendant is also a pharmacist
and operates a pharmacy in G. He holds a mail-order license and also sells his product range online at "www.u-k-a.de". In addition, in 2017, the defendant sold its product range, which includes prescription-only medications, via the online sales platform "Amazon Marketplace" (hereinafter also:
Amazon); it was represented there under the seller profile "Ap."
The plaintiff claims that the sale of prescription-only medications via
Amazon is unfair under the aspect of a breach of law due to a violation of statutory requirements for obtaining customer consent under data protection law.
2 I ZR 223/19 of March 27, 2025 | rewis.io
3
4
5
The plaintiff has filed a motion to prohibit the defendant, under threat of administrative fines, from selling prescription-only medications for competitive purposes via the Amazon online trading platform as long as the registration or purchase process via this online trading platform does not ensure that the customer can give prior consent to the collection, processing, and use of their health data (as special data within the meaning of Section 3 (9) of the Federal Data Protection Act) to a person or institution authorized to handle this health-related data.
The Regional Court granted the claim (LG Dessau-Roßlau, CR 2018, 646).
The Court of Appeal dismissed the defendant's appeal (OLG Naumburg, WRP 2020, 114). The defendant is pursuing its motion to dismiss the action with the appeal granted by the Court of Appeal. The plaintiff requests that the appeal be dismissed, alternatively with the proviso that the injunction reads "(as special data within the meaning of Article 9 of the GDPR)" instead of "(as special data within the meaning of Section 3 (9) of the Federal Data Protection Act)".
By order of January 12, 2023 (I ZR 223/19, GRUR 2023, 264 = WRP 2023, 324 - Arzneimittelbestelldaten I), the Senate stayed the proceedings and referred the following questions to the Court of Justice of the European Union for a preliminary ruling on the interpretation of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, GDPR) and Directive 95/46/EC on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (Data Protection Directive, DPD):
1. Do the provisions in Chapter VIII of the General Data Protection Regulation preclude national provisions which – in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the Regulation and the legal remedies available to data subjects – grant competitors the power to take legal action against the infringer for violations of the General Data Protection Regulation by way of to pursue a lawsuit before the civil courts under the prohibition of unfair commercial practices?
2. Are the data that customers of a pharmacist acting as a seller on an online sales platform enter on the sales platform when ordering pharmacy-only but non-prescription medications (customer name, delivery address, and information necessary for customizing the ordered pharmacy-only medication) health data within the meaning of Article 9 (1) GDPR and data concerning health within the meaning of Article 8 (1) GDPR?
3 I ZR 223/19 of March 27, 2025 | rewis.io
6
7
8
9
The Court of Justice of the European Union ruled on this matter in its judgment of
October 4, 2024 (C-21/23, GRUR 2024, 1721 = WRP 2024, 1318 - Lindenapotheke)
as follows:
1. The provisions of Chapter VIII of the General Data Protection Regulation are to be interpreted as not precluding a national provision which – in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcing this Regulation and the legal remedies available to data subjects – grants competitors of the alleged infringer of personal data protection rules the power to bring legal proceedings against the infringer for violations of the General Data Protection Regulation by way of an action before the civil courts under the aspect of the prohibition of unfair commercial practices.
2. Article 8 (1) of the Data Protection Directive and Article 9 (1) of the GDPR are to be interpreted as meaning that, in a case where a pharmacy operator sells pharmacy-only medicines via an online platform, data that its customers must enter when ordering these medicines online (such as name, delivery address, and information necessary for individualizing the medicines) constitute health data within the meaning of these provisions, even if the sale of these medicines does not require a doctor's prescription.
Reasons for the Decision
A. The Court of Appeal held that the injunction directed against the sale of pharmacy-only medicines via Amazon was justified under the aspect of a breach of law pursuant to Section 3a of the Unfair Competition Act. In this regard, it stated:
The disputed sale constitutes an unfair and therefore impermissible commercial practice pursuant to Section 3 (1) of the Unfair Competition Act because it violates a statutory provision within the meaning of Section 3a of the Unfair Competition Act. The sale of pharmacy-only medications via Amazon constitutes the processing of health data within the meaning of Art. 9 (1) GDPR, to which customers have not expressly consented in accordance with Art. 9 (2) (a) GDPR and which is also not otherwise permitted by law. The collected order data constitutes health data within the meaning of Art. 9 (1) GDPR. Conclusions about the health of the purchaser could be drawn from it. The provisions of the General Data Protection Regulation are to be regarded as market conduct regulations within the meaning of Section 3a of the German Unfair Competition Act (UWG) in the present case. The plaintiff, as a competitor, is entitled to enforce the injunction by way of legal action pursuant to Section 8 (3) No. 1 of the UWG.
B. The defendant's appeal is unsuccessful.
4 I ZR 223/19 of March 27, 2025 | rewis.io
10
11
12
13
14
I. The injunction filed by the plaintiff satisfies the requirements of specificity under Section 253 (2) No. 2 of the Code of Civil Procedure, which must also be observed ex officio in appeal proceedings (Federal Court of Justice, judgment of January 10, 2019 - I ZR 267/15, GRUR 2019, 813 [juris para. 23] = WRP 2019, 1013 - Cordoba II,
with further references). 1. According to Section 253 (2) No. 2 of the Code of Civil Procedure (ZPO), an injunction application – and according to Section 313 (1) No. 4 of the Code of Civil Procedure (ZPO) – may not be worded so vaguely that the subject matter of the dispute and the scope of the court's power to examine and decide are not clearly defined, the defendant is therefore unable to defend himself exhaustively, and ultimately the enforcement court is left to decide what the defendant is prohibited from doing. For this reason, injunction applications that merely repeat the wording of a law are generally considered too vague and therefore inadmissible. A different approach may apply if
either the statutory prohibition itself is already formulated clearly and specifically, or the scope of application of a legal norm is clarified by a well-established interpretation, or if the plaintiff makes it sufficiently clear that he is not seeking a prohibition within the scope of the statutory wording, but is orienting his request for an injunction on the specific infringing act. However, in such cases, affirming the specificity generally requires that there is no dispute between the parties as to whether the conduct complained of fulfills the relevant element of the offense. The reproduction of the statutory prohibition in the wording of the application is also harmless if the factually sought by the application, which itself is not sufficiently clear, is clearly established by interpretation based on the plaintiff's factual submissions, and the relevant factual arrangement between the parties is not questioned, but their dispute is limited exclusively to the legal characterization of the challenged conduct. Moreover, a wording of the application requiring interpretation may be acceptable if this is necessary to ensure effective legal protection (established case law; see only Federal Court of Justice, judgment of July 22, 2021 - I ZR 194/20, GRUR 2021, 1534
[juris para. 34] = WRP 2021, 1556 - Rundfunkhaftung I, with further references). 2. According to these principles, the injunction application and the resulting prohibition order issued by the district court are to be regarded as sufficiently specific.
a) To the extent that the application relates to medications that are "pharmacy-only,"
this legal term is specified by the legal definition in Section 43 Paragraphs 1 and 2 of the German Medicinal Products Act (AMG).
There is also no dispute between the parties regarding the meaning of the term.
5 I ZR 223/19 of March 27, 2025 | rewis.io
15
16
17
b) The requirements for specificity pursuant to Section 253 (2) No. 2 of the Code of Civil Procedure are
also met if the application contains the term "health data" with the addition in parentheses "as special data within the meaning of Section 3 (9) of the Federal Data Protection Act" or - according to the alternative application - "as
special data within the meaning of Article 9 of the GDPR" and thus contains terms that refer to the wording of the law.
However, there is a dispute between the parties regarding whether the customer data processed during the registration or purchase process via this online trading platform constitutes health data within the meaning of Section 3 (9) of the Federal Data Protection Act (BDSG) in the version valid until May 24, 2018 (old version) and Article 9 of the GDPR. However, this dispute only concerns the legal classification of the challenged conduct. The circumstances relevant to the challenged conduct itself, and thus what is actually sought in the injunction application, are not in dispute between the parties. According to the plaintiff's factual submissions, it clearly includes the data that the defendant's customers must enter when ordering pharmacy-only medications on the online sales platform "Amazon Marketplace," namely the customer's name, the delivery address, and the information necessary for customizing the ordered pharmacy-only medication (order data, see ECJ, GRUR 2024, 1721 [juris paras. 79 and 84] - Lindenapotheke; BGH, GRUR 2023, 264 [juris paras. 8 and 35] - Pharmaceutical Order Data I). Thus, the subject matter of the dispute and the scope of the courts' power of review and decision-making are sufficiently clearly defined. II. The Court of Appeal also correctly assumed that the plaintiff, as a competitor pursuant to Section 8 (3) No. 1 of the German Act Against Unfair Competition (UWG), is entitled to assert the injunction based on a breach of law by violating data protection provisions for the protection of health data by way of a lawsuit before the civil courts under the aspect of the prohibition of unfair business practices pursuant to Section 3 (1) and Section 3a of the UWG. 1. Under Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive, DPD), the plaintiff's standing to bring proceedings as a competitor arose from the general provisions (Section 51 of the Code of Civil Procedure, see Köhler/Feddersen in Köhler/Feddersen, Unfair Competition Act, 43rd ed., Section 8, marginal no. 3.8a; Ohly in Ohly/Sosnitza, Unfair Competition Act, 8th ed., Section 8, marginal no. 86). According to the case law of the Court of Justice of the European Union, the provisions contained in Chapter III of the Data Protection Directive do not preclude a national provision that allows associations to protect consumer interests to bring legal action against alleged violators of personal data protection provisions (see ECJ, judgment of July 29, 2019 - C-40/17, GRUR 2019, 977 [juris 6 I ZR 223/19 of March 27, 2025 | rewis.io
18
19
20
21
22
paras. 43 to 63] = WRP 2019, 1146 - Fashion ID). The same applies to the action brought by a competitor in question here (Federal Court of Justice, GRUR 2023, 264 [juris para. 9] - Pharmaceutical Order Data I). The Court of Justice of the European Union has
assumed that Articles 22 to 24 of the Data Protection Directive do not comprehensively harmonize national provisions on judicial remedies that can be brought against alleged infringers of personal data protection provisions (ECJ, GRUR
2019, 977 [juris para. 57] - Fashion ID).
2. This right of action of the plaintiff as a competitor of the defendant did not cease to exist with the entry into force of the General Data Protection Regulation on May 25, 2018 (Article 99 (2) GDPR). The Court of Justice of the European Union has
ruled that the provisions contained in Chapter VIII of the General Data Protection Regulation
for the enforcement of the data protection provisions of the Regulation are not exhaustive. They do not conflict with the provisions of German law, which – in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the Regulation and the legal remedies available to data subjects – grant the competitor of the alleged infringer of personal data protection provisions the right to bring legal action against the infringer for violations of the General Data Protection Regulation by way of a civil court action under the prohibition of unfair commercial practices (ECJ, GRUR 2024, 1721 [juris para. 73] - Lindenapotheke).
III. The Court of Appeal rightly held that the sale of pharmacy-only medications via the Amazon Marketplace online platform without the customer's prior consent to the collection, processing, and use of order data (the customer's name, delivery address, and the information necessary to customize the ordered pharmacy-only medication) constitutes an unfair commercial practice pursuant to Section 3 (1) and Section 3a of the German Unfair Competition Act (UWG).
1. According to Section 3a of the UWG, anyone who violates a statutory provision that is also intended to regulate market conduct in the interest of market participants and the violation is likely to significantly harm the interests of consumers, other market participants, or competitors acts unfairly. 2. The conduct complained of in the action violates the
special provisions for the protection of health data pursuant to Section 4 (1),
Section 4a (1) and (3), Section 28 (7) Sentence 1 of the Federal Data Protection Act (BDSG) (old version), and Article 9 (1) and (2) (a) and (h) of the GDPR, and thus violates statutory provisions within the meaning of Section 3a of the German Unfair Competition Act (UWG).
7 I ZR 223/19 of March 27, 2025 | rewis.io
23
24
25
26
a) The claim for injunctive relief based on the risk of repetition is only justified if the conduct complained of was unlawful both under the law applicable at the time it was committed and under the law applicable at the time of the appeal decision (established case law; see Federal Court of Justice, judgment of February 24, 2022 - I ZR 128/21, GRUR 2022, 729 [juris para. 10] = WRP
2022, 727 - Secondary Market for Life Insurance II; Federal Court of Justice, GRUR 2023, 264 [juris para. 28] - Drug Order Data I). This is the case in the present case.
Although the data protection regulations relevant to the assessment of the defendant's conduct, which is alleged to be a breach of law in the injunction application, have changed since the alleged infringement with the entry into force of the General Data Protection Regulation on May 25, 2018 (Article 99 (2) GDPR), this change in the law does not, however, affect the merits of the action. The defendant's conduct, which is the subject of the complaint, violates both the provisions applicable at the time of its conduct regarding the admissibility of the processing of health data pursuant to Section 4 (1), Section 4a (1) and (3), and Section 28 (7) Sentence 1 of the Federal Data Protection Act (BDSG) (old version) (see B III 2 b) as well as the now applicable provisions pursuant to Article 9 (1) and (2) (a) and (h) GDPR (see B III 2 c). b) The ordering process complained of in the action violated the provisions of Section 4 (1), Section 4a (1 and 3), and Section 28 (7) of the Federal Data Protection Act (BDSG) (old version) before the General Data Protection Regulation came into force.
aa) According to Section 4 (1) of the Federal Data Protection Act (BDSG) (old version), the collection, processing, and use of personal data is only permissible if the Federal Data Protection Act (BDSG) (old version) permits or requires this, or if the data subject consents. If special types of personal data within the meaning of Section 3 (9) of the Federal Data Protection Act (BDSG) (old version), such as data relating to health, are involved, consent is only valid if, in addition to the requirements stipulated in Section 4a (1) of the Federal Data Protection Act (BDSG) (old version), it expressly refers to the special type of personal data (Section 4a (3) of the Federal Data Protection Act (BDSG) (old version). Unless the data subject has given their consent in accordance with Section 4a (3) of the Federal Data Protection Act (BDSG) (old version), the collection, processing, and use of health data for their own business purposes is only permitted in exceptional cases. In this respect, in the event of a dispute, the processing of data for the purpose of healthcare may be considered at most in accordance with Section 28 (7) Sentence 1 of the Federal Data Protection Act (BDSG) (old version), which is permissible if the processing of these data is carried out by medical personnel or other persons subject to a corresponding duty of confidentiality.
With these provisions, the provisions of Article 8 (1), (2) (a) and (3) of the Data Protection Directive have been implemented into German law. According to Article 8 (1) of the Data Protection Directive, Member States prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or the
8 I ZR 223/19 of March 27, 2025 | rewis.io
27
28
29
30
trade union membership, as well as data concerning health. According to Article 8(2)(a) of the Data Protection Directive, paragraph 1 of this provision
does not apply if the data subject has explicitly consented to the processing of those data, unless the law of the Member State provides that the prohibition in paragraph 1 cannot be lifted by the consent of the data subject. Article 8(3) of the Data Protection Directive stipulates that Article 8(1) of the Data Protection Directive does not apply if the processing of data is necessary for the purposes of preventive healthcare, medical diagnosis, healthcare or treatment, or for the management of healthcare services, and if the processing of these data is carried out by medical personnel subject to professional secrecy under national law, including rules adopted by the competent national authorities, or by other persons subject to an equivalent obligation of confidentiality.
bb) The action is directed against the collection and processing of special personal data (information about health) within the meaning of these provisions.
(1) The claim, which is to be interpreted in light of the grounds of action and is directed at the prohibition of the sale of pharmacy-only medications via the online trading platform Amazon, objects to the fact that the defendant's customers must enter their name, delivery address, and the information necessary for customizing the ordered medication when ordering pharmacy-only medications, without being able to give their consent to the collection, processing, and use of this data during the input process. The defendant's conduct under assessment therefore consists in offering an ordering option that requires the entry of order data, and these data are then used for the purpose of executing the order without obtaining a declaration of consent from the customer in accordance with statutory requirements prior to these actions, which the plaintiff considers to be processing health data.
(2) The customer's name, delivery address, and the information necessary for the individualization of the ordered medication constitute health information (health data) and thus special types of personal data within the meaning of Section 3 (9) and Section 4a (3) of the Federal Data Protection Act (BDSG) (old version).
The Court of Justice of the European Union has ruled that the data to be provided by the customer when ordering pharmacy-only medication (the customer's name, delivery address, and the information necessary for the individualization of the ordered pharmacy-only medication) constitute special types of personal data, notwithstanding the fact that the data may include the following:
9 I ZR 223/19 of March 27, 2025 | rewis.io
31
32
33
34
35
The pharmacy-only medications subject to the application also include non-prescription medications, and thus medications for which it cannot be ruled out that the purchaser is not purchasing the medication for themselves, but for a third party who is still undetermined at the time of ordering (cf. Federal Court of Justice, GRUR 2023, 264 [juris para. 35] - Arzneimittelbestelldaten I), and this is information about health within the meaning of Art. 8 (1) of the Data Protection Directive (cf. ECJ, GRUR 2024, 1721 [juris paras. 81 and 94] - Lindenapotheke). The same applies by way of an interpretation consistent with EU law with regard to Section 3 (9) of the Federal Data Protection Act (BDSG) (old version), which implemented Art. 8 (1) of the Data Protection Directive into German law. (3) If a customer orders prescription drugs via the defendant's account on the "Amazon Marketplace," this health data is collected and processed within the meaning of Section 4 (1) of the German Federal Data Protection Act (BDSG) (old version).
(a) Collection is understood to mean the acquisition of data (Section 3 (3) of the German Federal Data Protection Act (BDSG) (old version), and processing is understood to mean the storage, modification, transmission, and deletion of personal data (Section 3 (4) of the German Federal Data Protection Act (BDSG) (old version).
(b) According to the circumstances of the case established by the appeal court, the defendant obtains the health data of the customer within the meaning of Section 3 (3) of the German Federal Data Protection Act (BDSG) (old version) by making an order dependent on the entry of the order details on Amazon. According to the appeal court's findings, this data is forwarded by Amazon to the defendant for the purpose of executing the order. This constitutes, in any event, a transmission within the meaning of Section 3 (4) of the German Federal Data Protection Act (BDSG) (old version). The appeal also did not dispute that the order data was acquired and transmitted during the contested ordering process.
(4) The defendant is liable under competition law for both the collection process and the subsequent processing of the orderer's health data.
In this case, with regard to the claim for injunctive relief under Section 8 (1) Sentence 1 of the German Unfair Competition Act (UWG) asserted in the action, it can remain open which actions, considered as collection and processing of the order data, were undertaken by Amazon or (also) by the defendant himself. To the extent that Amazon's conduct is at issue during the ordering process, the defendant's liability arises from Section 8 (2) of the German Unfair Competition Act (UWG) (Federal Court of Justice, GRUR 2023, 264 [juris para. 40] - Arzneimittelbestelldaten I).
Accordingly, the claim for injunctive relief is also justified against the owner of the company if violations are committed by an agent of the company. According to this provision, violations committed by the company's agents are attributed to the owner of a company as if they were his own actions, because the company's division of labor is not intended to eliminate responsibility for the business activities.
10 I ZR 223/19 of March 27, 2025 | rewis.io
36
37
38
The agent can also be an independent company that is integrated into the company owner's operational organization in such a way that the success of the business activities of the contracted company benefits the business owner and the business owner has a decisive, enforceable influence on the activities of the contracted company within whose scope the conduct complained of falls. What matters here is not the influence the business owner has secured, but rather the influence he could and should have secured (established case law; see Federal Court of Justice, judgment of February 23, 2023 - I ZR 155/21, GRUR 2023, 732 [juris para. 39] = WRP 2023, 705 - Broadcasting Liability II, with further references). The business owner may therefore also be liable for violations of law committed by an agent without his knowledge and against his will (Federal Court of Justice, judgment of October 7, 2009 - I ZR 109/06, GRUR 2009, 1167 [juris para. 21] = WRP 2009, 1529 - Affiliate Program).
According to these principles, Amazon is to be regarded as the defendant's agent.
By setting up and operating a seller account on the online sales platform "Amazon Marketplace," in accordance with the applicable rules and technical procedures for collecting order data and processing it as part of order processing, the defendant integrated this platform into its online sales of prescription drugs. This division of labor in its sales organization cannot eliminate the defendant's liability under competition law for its business activities organized in this way, so that the actions relevant to data protection carried out within Amazon's direct sphere of influence are attributed to the defendant as if they were its own actions.
The assumption of the defendant's liability under competition law pursuant to Section 8 (2) of the Unfair Competition Act is not contradicted by the fact that the appeal court, with reference to the plaintiff's written submissions, stated that any data protection violations by the "Amazon Marketplace" platform were not part of the legal dispute. It cannot be inferred from this argument that the plaintiff should disregard the processes taking place within Amazon's sphere of influence in general, and thus also with regard to the defendant's alleged anti-competitive liability for the distribution of prescription drugs via the "Amazon Marketplace," for the merits of the claim.
cc) The district court judgment cited by the appeal court, which examined the legal situation under the old version of the Federal Data Protection Act, rightly assumed that the collection and processing of order data on Amazon challenged by the claim constitutes processing of health data that is not based on a
11 I ZR 223/19 of March 27, 2025 | rewis.io
39
40
41
42
43
valid consent within the meaning of Section 4 (1) and Section 4a (3) of the Federal Data Protection Act (BDSG) (old version) or the legal basis for authorization provided for in Section 28 (7) of the Federal Data Protection Act (BDSG) (old version) is justified.
(1) There is no express consent from the customer to the collection and processing of their health data that satisfies the requirements of the provisions pursuant to Section 4 (1), Section 4a (3) of the Federal Data Protection Act (BDSG) (old version) and Article 8 (2) (a) of the Data Protection Directive.
(a) Contrary to the view of the appeal, the requirement of express consent means that implied consent is not sufficient (see BeckOK.Datenschutzrecht/Kühling, 23rd Edition [as of February 1, 2018], Section 4a of the Federal Data Protection Act (BDSG) (old version), marginal no. 55). Furthermore, the requirement under Section 4a (3) of the German Federal Data Protection Act (BDSG) (old version) that consent must be based on the specific nature of the data requires that the sensitive data to be used must be precisely identified and the specific context of use must be demonstrated, because the risk of using particularly sensitive data can only be assessed in light of the specific use (BeckOK.Datenschutzrecht/Kühling, loc. cit., Section 4a of the German Federal Data Protection Act (BDSG) (old version), marginal no. 56; see also Hoeren, VersR 2005, 1014, 1020).
(b) According to the findings of the Court of Appeal, which are not challenged by the appeal, there is a lack of unambiguously declared consent from the defendant's customers that meets these requirements.
(2) The collection, use, and processing of the health data provided by the customer is also not permitted under Section 28 (7) of the German Federal Data Protection Act (BDSG) (old version).
(a) According to this provision, the collection of health data within the meaning of Section 3 (9) of the Federal Data Protection Act (BDSG) (old version) is permissible if this is necessary for the purposes of preventive healthcare, medical diagnostics, healthcare provision or treatment, or for the administration of healthcare services, and if the processing of these data is carried out by medical personnel or other persons subject to a corresponding obligation of confidentiality. The characteristic "corresponding" implies that these other persons must be subject to a duty of confidentiality comparable to that of physicians, which can be assumed, for example, for healthcare professionals such as alternative practitioners, speech therapists, physiotherapists, masseurs, opticians, producers of medicinal products and specialist retailers of orthopedic aids, as well as pharmacists (cf. BeckOK.Datenschutzrecht/Wolff, 23rd Edition [as of August 1, 2015], Section 28 BDSG (old version), marginal no. 264 with further references). The requirement of a comparability of the duty of confidentiality to the profession of physician also follows from Section 28 (7) Sentence 3 BDSG (old version). If, for a purpose stated in sentence 1 of this provision, data concerning the health of individuals are collected, processed, or used by members of a profession other than that specified in Section 203 (1) and (3) of the German Criminal Code, the practice of which entails the diagnosis, cure, or
12 I ZR 223/19 of March 27, 2025 | rewis.io
44
45
46
47
48
alleviation of illnesses or the manufacture or distribution of medical aids, this is only permissible under the conditions under which a physician himself would be authorized to do so.
(b) In the event of a dispute, the collection and processing of health data at Amazon is carried out neither by medical personnel nor by other persons subject to a corresponding duty of confidentiality within the meaning of the above principles. According to the findings of the Regional Court, the customer initially provides his or her data to Amazon during the ordering process. From there, it is forwarded to the seller selected in the marketplace – in this case, the defendant. Neither the district court nor the appeal court has established, nor has the appeal asserted, that the defendant, who bears the burden of proof with regard to the requirements of the authorization he invoked and due to the fact that the organization of the ordering process on the sales platform he commissioned for the purpose of online sales is attributable to his sphere of perception, has argued that at Amazon, health data is collected, processed, and used by medical personnel or by persons who are subject to a duty of confidentiality "corresponding" to medical duties.
(c) Contrary to the view of the appeal, the existence of a duty of confidentiality applicable to everyone pursuant to Section 203 (4) Sentence 1 of the Criminal Code is not sufficient.
This provision specifically does not apply to persons who are subject to an original professional duty of confidentiality comparable to that of doctors and other healthcare professionals. Rather, in the interest of extended criminal protection of confidentiality, Section 203 (4) Sentence 1 of the Criminal Code extends criminal liability to all collaborating persons who, as assistants to persons originally bound to confidentiality due to their professional position, become aware of secrets in the exercise or on the occasion of their activities (see Eisele in Schönke/Schröder,
StGB, 30th ed., Section 203, marginal no. 96). These persons therefore lack the professional comparability expressed in the characteristic "corresponding" with medical personnel within the meaning of Section 28 (7) Sentence 1 of the Federal Data Protection Act (BDSG) (old version).
c) The challenged ordering process also violates the now applicable provision pursuant to Article 9 (1) GDPR.
aa) Article 9 (1) GDPR prohibits the processing of special categories of personal data, which also include the health data of a natural person.
The entry of order data and its use for the purpose of executing the order constitutes processing within the meaning of Article 4 No. 1, Article 9 (1)
13 I ZR 223/19 of March 27, 2025 | rewis.io
49
50
51
52
53
GDPR. The defendant is liable for this processing under competition law pursuant to Section 8 (1) and (2) of the German Unfair Competition Act (UWG) (see Federal Court of Justice, GRUR 2023, 264 [juris marginal no. 41] -
Medicinal Product Order Data I). Reference can be made to the explanations regarding the requirements under the old version of the Federal Data Protection Act (see B III 2 b bb [3] and [4]), which apply here accordingly.
The order data in question in the dispute are also to be regarded as health data within the meaning of Article 9 (1) GDPR (see ECJ, GRUR 2024, 1721 [juris marginal no. 94] - Lindenapotheke).
bb) The Court of Appeal rightly assumed that in the case in dispute, the customer's consent to the processing of the order data, which satisfies the requirements of Art. 9 (2) (a) GDPR, was not present.
(1) The prohibition on processing health data stipulated in Art. 9 (1) GDPR does not apply pursuant to Art. 9 (2) (a) GDPR if the data subject has expressly consented to the processing of the health data for one or more specified purposes.
(2) The Court of Appeal correctly assumed that such consent was not present. According to its findings, which are not challenged by the appeal, there is no express consent from the customer before or during the ordering process. The Court of Appeal also rightly assumed that implied consent is not sufficient. Article 9 (2) (a) GDPR
requires – in derogation from Article 6 (1) (a) GDPR – explicit consent. Therefore, implied consent does not meet the requirements of Article 9 (2) (a) GDPR (cf. Petri in Simitis/Hornung/Spiecker, Döhmann, Datenschutzrecht, 2nd ed., Article 9 GDPR, marginal no. 33; Schiff in Ehmann/Selmayr, GDPR, 3rd ed., Article 9, marginal no. 34; Schulz in Gola/Heckmann, DSGVO, 3rd ed., Article 9, marginal no. 23; Weichert in Kühling/Buchner, DSGVO, 4th ed., Article 9, marginal no. 47; Albers/Veit in BeckOK.DatenschutzR, 50th edition [as of August 1, 2024], Article 9, marginal no. 61; BeckOK.IT-Recht/Borges, 17th edition [as of July 1, 2021], Article 9). 9 GDPR, para. 9).
(3) The Court of Appeal also correctly assumed that
consent to the processing of health-related data cannot be inferred solely from the ordering of a medication on the Amazon Marketplace trading platform. Effective consent requires that
the data in question be specifically identified and that the data subject is informed of the entire intended use of the data and thus enabled to make a rational decision as to whether they wish to make their data available for these purposes (cf. Frenzel in Paal/Pauly, GDPR BDSG,
3rd ed., Art. 9 GDPR, para. 23; Schiff in Ehmann/Selmayr, loc. cit., Art. 9, para. 34;
Weichert in Kühling/Buchner, loc. cit., Art. 9, para. 47). Are the
14 I ZR 223/19 of March 27, 2025 | rewis.io
54
55
56
57
58
If the data collected is health data, an explicit reference to the existence of health data is also required (Schulz in Gola/Heckmann, op. cit., Art. 9, para. 23; Weichert in Kühling/Buchner, op. cit., Art. 9, para. 47;
BeckOK.IT-Recht/Borges, op. cit., Art. 9, GDPR, para. 9). This specific reference to the need for protection of the collected data is intended to achieve a warning effect (Weichert, DuD 2017, 538). This protective purpose would be missed if the mere ordering of a medication on the Amazon Marketplace trading platform were to be considered consent to the processing of health-related data. cc) Contrary to the view of the appeal, the defendant cannot successfully invoke the legal basis under Article 9 (2) (h) and (3) GDPR.
(1) Pursuant to Article 9 (2) (h) GDPR, the prohibition on processing under Article 9 (1) GDPR does not apply if the processing is necessary for the purposes of providing healthcare or treatment based on a contract with a healthcare professional and subject to the conditions and safeguards set out in Article 9 (3) GDPR. According to Article 9 (3) GDPR, health data may be processed for the purposes set out in Article 9 (2) (h) GDPR if these data are processed by or under the responsibility of professionals who are subject to professional secrecy under Union law or the law of a Member State or the provisions of national competent authorities, or if the processing is carried out by another person who is also subject to an obligation of confidentiality under Union law or the law of a Member State or the provisions of national competent authorities.
(2) In this case, it is irrelevant whether, with regard to the collection of order data, pre-contractual data processing also takes place "on the basis of a contract" and is thus covered by Article 9 (2) (h) GDPR. In any case, the requirements placed on the person carrying out the processing are not met with regard to the "Amazon Marketplace" sales platform integrated by the defendant into its sales activities.
(2) (a) The appeal court made no findings that could justify the assumption that the data processing in question at Amazon is carried out by specialist personnel subject to professional secrecy. The appeal does not claim that the appeal court disregarded the defendant's submissions in this regard, which bear the burden of proof (see B III 2 b cc [2] [b]).
(b) The appeal unsuccessfully claims that the data processing is permissible pursuant to Article 9 (2) (h) in conjunction with (3) GDPR because Amazon is to be regarded as an "other person" within the meaning of this provision.
15 I ZR 223/19 of March 27, 2025 | rewis.io
59
60
61
The appeal is of the opinion that the requirements for the "other person" regulated in Art. 9 (3) GDPR are less narrowly defined than the corresponding provision of the old law pursuant to Section 28 (7) BDSG (old version) and
Art. 8 (3) DSRL. This follows from the fact that, according to Art. 9 (3) GDPR, the "other person" is not subject to a "corresponding" duty of confidentiality, as was the case with the "other person" under the old law, but only to a simple "duty of confidentiality." This means that the term "other person" is no longer limited to professions closely related to the medical field, which Amazon did not fall into under the old law. The removal of the restrictive term "corresponding" now allows even those persons from the non-medical sector, such as Amazon, to be considered privileged, as they are subject to the general duty of confidentiality as contributors within the meaning of Section 203 (4) in conjunction with Section 203 (3) Sentence 2 of the German Criminal Code.
The appeal therefore cannot succeed. It can remain open whether the absence of the characteristic "corresponding" can justify the conclusion that Article 9 (3) GDPR, compared to the previous law, opens up a more extensive possibility of also privileging professions that are not part of the medical field, or whether - for which there are better reasons - in view of the meaning and purpose as well as the systematic connection, it cannot be assumed that the regulatory authority has relaxed the requirements applicable to the processing of health data for other persons (cf. Weichert in Kühling/Buchner, loc. cit., Article 9, para. 144; cf. in this regard, that justifications that can lead to the processing of personal data being lawful despite the lack of consent of the data subject must be interpreted narrowly, ECJ, judgment of July 4, 2023 - C-252/21, GRUR 2023, 1131 [juris para. 76] = WRP 2023, 924 - Meta Platforms et al.
[General terms of use of a social network] on Art. 9 (2) (e) GDPR; Judgment of December 21, 2023 - C-667/21, EuZW 2024, 270
[juris para. 50] - Krankenversicherung Nordrhein on Art. 9 (2) (h) GDPR;
Judgment of October 4, 2024 - C-621/22, WRP 2024, 1480 [juris para. 31] - Koninklijke
Nederlandse Lawn Tennisbond on Art. 6 (1) subpara. 1 letters b to f GDPR and judgment of October 4, 2024 - C-446/21, GRUR 2024, 1821 [juris
paras. 76 and 81] = WRP 2024, 1330 - Schrems [communication of data to the general public] on Art. 9 (2) (e) GDPR).
In any case, the appeal fails to take into account that Art. 9 (3) GDPR does not constitute a comprehensive EU law regulation of the conditions for the lawfulness
of the processing of health data. Rather, Art. 9 (3) GDPR expressly permits provisions in the law of the Member States. Furthermore, Member States may introduce or maintain additional conditions, including restrictions, to the extent that the processing of
16 I ZR 223/19 of March 27, 2025 | rewis.io
62
63
genetic, biometric, or health data is affected (Article 9 (4) GDPR).The German legislature has made such provisions in Section 22 (1) No. 1 (b) of the Federal Data Protection Act (BDSG) (see explanatory memorandum to the government's draft EU Data Protection Adaptation and Implementation Act, Bundestag Print No. 18/11325,
pp. 94 et seq.). Accordingly, by way of derogation from Article 9 (1) GDPR, the processing of special categories of personal data within the meaning of Article 9 (1) GDPR by public and non-public bodies is permitted if it is necessary for the purposes of health care, assessing the employee's ability to work, medical diagnosis, care or treatment in the health or social sector, or for the administration of systems and services in the health and social sector, or on the basis of a contract between the data subject and a health professional, and if these data are processed by medical personnel or other persons subject to a corresponding obligation of confidentiality, or under their responsibility. This provision contains – as already Section 28 (7) of the Federal Data Protection Act (BDSG) (old version) and Article 8 (3) of the Data Protection Directive (DSRL) – the requirement that other persons are subject to a "corresponding" duty of confidentiality, so that even under current law, only persons in the health and medical professions are privileged (cf. Heckmann/Scheurer in Gola/Heckmann, op. cit., Section 22 of the Federal Data Protection Act, marginal no. 29, and B III 2 b cc [2] [a]), which Amazon does not fall under – even in the view of the appeal. To the extent that the appeal, in its written submission of February 10, 2025, submitted after the oral appeal hearing, claims that the characteristic "corresponding" expressly regulated in Section 22 (1) No. 1 (b) of the Federal Data Protection Act (BDSG) is irrelevant because Section 22 (1) of the Federal Data Protection Act (BDSG) is alternative to the grounds of justification listed in Article 9 (2) of the GDPR, this cannot be upheld. The appeal fails to take into account that the EU legislator not only refers to the law of the Member State in Article 9 (3) of the GDPR with regard to the professional secrecy to which professional personnel must be subject, but also allows Member States to introduce and maintain additional conditions, including restrictions, insofar as the processing of health data is concerned. The non-application of the "corresponding" criterion, which the German legislature has expressly maintained in the regulation supplementing these opening provisions, is not only precluded by the clear wording and the systematic priority of application of the more specific law (lex specialis derogat legi generali). In the context of an interpretation of the provision of Section 22 (1) No. 1 (b) of the Federal Data Protection Act (BDSG), which was enacted on the basis of Art. 9 (3) and (4) GDPR, in accordance with EU law, it must also be taken into account that, according to the case law of the Court of Justice of the European Union (17 I ZR 223/19 of March 27, 2025 | rewis.io)
64
65
66
67
Justifications that may lead to the lawfulness of the processing of personal data despite the lack of consent of the data subject must be interpreted narrowly (see B III 2 c cc [2] [b]). Furthermore, the Court of Justice of the European Union has emphasized that persons authorized to process data pursuant to Article 9 (3) GDPR must be subject to professional secrecy only under strictly limited conditions (ECJ, EuZW
2024, 270 [juris para. 44] - Krankenversicherung Nordrhein). This is not consistent with the view of the appeal that, even with regard to Article 9 (3) GDPR, the general duty of confidentiality pursuant to Section 203 (4) Sentence 1 of the German Criminal Code, which is not linked to professional status but applies to everyone, is sufficient.
Finally, a teleological reduction of Section 22 (1) No. 1 (b) of the German Federal Data Protection Act (BDSG) in the sense of the view advocated by the appeal, is also inadmissible because it contradicts the purpose of the special provisions for the protection of special categories of personal data, such as health data. This consists in ensuring increased protection against data processing that, due to the particular sensitivity of the data subject to such processing, may constitute a particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data guaranteed by Articles 7 and 8 of the EU Charter of Fundamental Rights (ECJ, EuZW 2024, 270 [juris para. 41] - Krankenversicherung Nordrhein).
(c) Contrary to the view of the appeal, the data processing in question at Amazon is also not carried out under the responsibility of a professional subject to professional secrecy within the meaning of Section 22 (1) No. 1 (b) BDSG (and Article 9 (3) GDPR).
The appeal argues that for data processing by Amazon "under the responsibility" of the defendant, it is only necessary that the defendant's pharmacy allow Amazon to collect the data for its business purposes.
Authority to issue directions or even integration of the data processor into the pharmacist's sphere is not required. This cannot be agreed to.
The characteristic of "responsibility," according to its literal meaning, the regulatory context, and the purpose of the special provisions, requires that the specialist personnel subject to professional secrecy ensure compliance with all legal requirements serving to protect this data – such as the consent requirement pursuant to Art. 9 (2) (a) GDPR, which is relevant in the case at issue – by the personnel employed in the data processing. The appeal court did not establish that this requirement was met in the case at issue. The appeal did not assert that the defendant had argued that the data processing activity initiated with the
18 I ZR 223/19 of March 27, 2025 | rewis.io
68
69
70
Amazon employees involved in the ordering process are obliged to comply with the
special data protection requirements for the processing of
health data, and compliance with these provisions is monitored by the defendant through appropriate measures.
3. The Court of Appeal correctly assumed that the provisions governing the processing of health data as a special category of personal data pursuant to Section 4a and Section 28 (7) of the Federal Data Protection Act (BDSG) (old version) and
Article 9 (1) of the GDPR are market conduct regulations within the meaning of Section 3a of the Unfair Competition Act (UWG).
a) A standard regulates market conduct in the interest of competitors, consumers, or other market participants if it has a competitive dimension in the sense that it protects the competitive interests of persons considered as suppliers or buyers of goods or services. A provision that serves to protect the rights, legal interests, or other interests of market competitors, consumers, or other market participants constitutes a market conduct regulation if the protected interest is affected precisely by market participation, i.e., by the conclusion of exchange contracts and the subsequent consumption or use of the acquired goods or services. A specifically competition-related protective function in the sense that the regulation specifically protects market participants from the risk of unfair influence on their market behavior is not required. However, the provision must at least also aim to protect the competitive interests of market participants; Merely reflexive effects in their favor are therefore not sufficient (established case law; see Federal Court of Justice, judgment of October 8, 2015 - I ZR 225/13, GRUR 2016, 513 [juris para. 21] = WRP 2016, 586 - egg donation;
judgment of April 27, 2017 - I ZR 215/15, GRUR 2017, 819 [juris para. 20] = WRP 2017,
941 - recording obligation; judgment of November 18, 2021 - I ZR 106/20, GRUR
2022, 175 [juris para. 25] = WRP 2022, 165 - cable TV connection; judgment of November 10, 2022 - I ZR 16/22, GRUR 2023, 416 [juris para. 19] = WRP 2023, 447 -
Nitrogen generator).
b) However, it is argued that data protection provisions – with the exception of data processing for advertising purposes – do not constitute market conduct regulations because they merely protect personal rights or informational self-determination, whereas the Act against Unfair Competition is concerned with protecting consumers' economic freedom of choice and protecting the general public against excesses of competition (cf. OLG Düsseldorf, RDV 2004, 222 [juris marginal no. 8]; OLG Frankfurt, GRUR 2005, 785 [juris marginal no. 29]; OLG Cologne, GRUR-RR 2010, 34 [juris marginal no. 5]; OLG Munich, GRUR-RR 2012, 395
[juris marginal nos. 28 et seq.]; OLG Karlsruhe, GRUR-RR 2012, 396 [juris marginal nos. 32 to 34];
Higher Regional Court of Dresden, judgment of March 26, 2013 - 14 U 1776/12, BeckRS 2014, 15220;
19 I ZR 223/19 of March 27, 2025 | rewis.io
71
72
73
Köhler in Köhler/Bornkamm/Feddersen, Unfair Competition Act (UWG), 40th ed., § 3a, marginal no. 1.74a [differently, now Köhler/Odörfer in Köhler/Feddersen, ibid., 43rd ed., § 3a, marginal no. 1.74a];
Ohly in Ohly/Sosnitza, ibid., § 3a, marginal no. 79; Büttner in Festschrift Erdmann, 2002,
pp. 545, 559; Gärtner/Heil, WRP 2005, 20, 22; Heckmann/Gierschmann/Selk, CR 2018, 728, 729). Others assume that data protection law primarily has a consumer-protective effect and is therefore, overall, a market conduct regulation (cf. Ernst, WRP 2004, 1133, 1137; Schneider, NJW 2012, 3315 f.). c) In contrast, others rightly assume that the question of whether standards for the protection of personal data constitute market conduct regulations cannot be answered in a general way, but rather that each provision must be specifically examined to determine whether it regulates market conduct (cf. Higher Regional Court of Hamburg, WRP 2018, 1510 [juris marginal no. 72]; MünchKomm.UWG/Schaffert, 3rd ed., § 3a marginal no. 81; Göttingen/Hetmark in Fezer/Büscher/Obergfell, Lauterkeitsrecht, 3rd ed., § 3a UWG, marginal no. 80; Büscher/Meinhardt, UWG, 3rd ed., § 3a marginal no. 277 et seq.; Huppertz/Ohrmann, CR 2011, 449, 451; Galetzka, K&R 2015, 77, 80; Metzger, GRUR Int. 2015, 687, 691;
Schreiber, GRUR-Prax 2018, 371, 372; Laoutoumai/Hoppe, K&R 2018, 533, 534;
Schmitt, WRP 2019, 27 paragraph 12; Schaub, WRP 2019, 1391 para. 6; Apel/Bosman,
K&R 2020, 73, 74).
d) The provisions on the consent requirement with regard to the processing of personal data pursuant to Section 4a and Section 28 (7) of the Federal Data Protection Act (BDSG) (old version) and Article 9 of the GDPR are therefore market conduct regulations in the interest of consumers and other market participants (also Meyer, WRP 2002, 1028, 1034; Metzger, GRUR Int. 2015, 687, 691; Schaub, WRP 2019, 1391, para. 12; probably also Linsenbarth/Schiller, WRP 2013, 576, para. 25).
aa) First, it must be considered that the Data Protection Directive as a whole serves not only to protect the personal rights affected by data processing (Article 1 (1) and Recital 10 of the Data Protection Directive). From
recitals 2 ("development of trade"), 6 ("facilitating cross-border flows of personal data"), and especially
recitals 3, 7, 8, and 9, it is clear that the EU legislature also considered the tension between the protection of personal rights and the free movement of data within the Union as an economic factor. The purpose of the Directive is also to approximate national data protection laws for the purpose of intra-EU trade in data while maintaining the protection of the fundamental rights of data subjects. Accordingly, Article 1 of the Data Protection Directive stipulates not only that Member States shall ensure the protection of fundamental rights and freedoms, and in particular the protection of privacy, of natural persons with regard to the processing of personal data (paragraph 1), but also that Member States shall ensure the free movement of personal data.
20 I ZR 223/19 of March 27, 2025 | rewis.io
74
75
76
personal data between Member States on the basis of the rights protected in paragraph 1 of the provision and prohibit them (paragraph 2).
The protection of the fundamental rights of data subjects is therefore not considered in isolation, but rather with regard to the functioning of the internal market (cf. Higher Regional Court of Cologne, WRP 2016, 885 [juris para. 40]). The Data Protection Directive is therefore clearly based on the assumption that personal data can be the basis
or even the subject of services or goods transactions provided throughout the Union.
The General Data Protection Regulation also aims, on the one hand, to protect fundamental rights and freedoms (Article 1 (1) GDPR), but also contains provisions on the free movement of personal data (Article 1 (1) GDPR). Furthermore, pursuant to Article 1 (3) GDPR, the free movement of personal data within the Union may neither be restricted nor prohibited for reasons of the protection of natural persons with regard to the processing of personal data. Technological development and globalization are expressly addressed in Recital 6, and the Union-wide movement of personal data as an economic factor is addressed in Recitals 2, 3, 5, 6, 7, and especially 9 and 10.
bb) Against this background, the provisions requiring consent to the processing of personal data serve to protect the personal rights interests of consumers within the meaning of the Senate's case law, especially in connection with their market participation, i.e., when concluding exchange contracts or using services (cf. Higher Regional Court of Hamburg, WRP 2013, 1203 [juris para. 58]). Based on the economic importance of processing personal data for internet-based business models, the use of which often leads consumers to consider whether to pay for desired services not by paying a fee but by disclosing personal data, the requirement of consumer consent, which – as in the case at hand – concerns the disclosure of personal data linked to their decision to purchase, is of central importance. It is precisely through the possibility of deciding on the disclosure of their data that consumers should be enabled to freely decide whether, how, and to what extent they participate in the market and conclude contracts. The Court of Justice of the European Union has also assumed that a violation of a provision protecting personal data may simultaneously constitute a violation of consumer protection provisions or unfair commercial practices (see ECJ, judgment of April 28, 2022 - C-319/20, GRUR 2022, 920 [juris paras. 66, 78] - Meta Platforms Ireland).
21 I ZR 223/19 of March 27, 2025 | rewis.io
77
78
79
4. A violation of Section 4a (1) and (3) of the Federal Data Protection Act (BDSG) (old version) and Article 9 (1) of the GDPR is likely to significantly impair the interests of consumers within the meaning of Section 3a of the Unfair Competition Act (UWG).
a) The question of whether there is a potential for a significant impairment of interests must be assessed based on the protective purpose of the market conduct regulation violated in each case. In this assessment, the purposes that justify the classification of the regulation as a market conduct regulation must be taken into account because they affect the interests of market participants. The appreciability clause is intended to exempt from prosecution those cases of violation of a market conduct regulation that have no significant impact on other market participants and therefore do not represent a public interest. A perceptible impairment of consumers' interests exists if their ability to make informed and free business decisions within the meaning of Section 2 (1) No. 1 of the Unfair Competition Act (UWG) is affected (Federal Court of Justice, judgment of May 29, 2024 - I ZR 43/23, GRUR 2024, 1041 [juris para. 44] = WRP 2024, 1045 - Hydra Energy, with further references).
b) According to these principles, in the case in question, the perceptible violation of Section 3a of the Unfair Competition Act must be affirmed with regard to the protective purpose of the consent requirement pursuant to Section 4a (1) and (3) of the Federal Data Protection Act (BDSG) (old version) and Article 9 (1) of the GDPR. The nature and extent of the expected use of one's own data and of data from which conclusions can be drawn about one's own health represent an essential criterion for the use of the defendant's services, which is of considerable importance for the potential customer's decision to use the offered service (see Federal Court of Justice, judgment of January 14, 2016 - I ZR 65/14, GRUR 2016, 946 [juris para. 85] =
WRP 2016, 958 - Freunde finden).
5. The prosecution of a violation of Section 4a (1) and (3) of the Federal Data Protection Act (BDSG) (old version) and Article 9 (1) and (2) (a) of the GDPR as an unfair commercial practice is not precluded by the fact that Directive 2005/29/EC concerning unfair business-to-consumer commercial practices in the internal market fully harmonizes the provisions of the Member States on such unfair commercial practices (Article 3 (1) and Article 4 of Directive 2005/29/EC). According to Article 3 (3), the Directive is without prejudice to Union or Member State law regarding the health and safety aspects of products. The data protection provisions governing the collection and processing of health data in relation to the trade in pharmacy-only medicinal products that are relevant in the case at issue are such laws. The provisions of the Federal Data Protection Act in question are also based on EU law (see Federal Court of Justice, judgment of January 14, 2016 - I ZR 61/14, GRUR 2016, 516 [juris para. 13] = WRP 2016, 581 - Wir helfen im Trauerfall, with further references; Köhler/Odörfer in Köhler/Feddersen, ibid., § 3a para. 1.8 with further references).
22 I ZR 223/19 of March 27, 2025 | rewis.io
80
81
82
6. The risk of repetition required for the asserted injunctive relief pursuant to Section 8 (1) Sentence 1 of the Unfair Competition Act (UWG) is actually presumed due to the infringing act established (cf. Federal Court of Justice, judgment of January 12, 2023 - I ZR 49/22, GRUR 2023, 742 [juris para. 14] = WRP 2023, 709 - Submission by PDF, with further references).
IV. There is no need to refer the case to the Court of Justice of the European Union under Article 267(3) TFEU (see ECJ, judgment of 6 October 1982 - 283/81, ECR 1982, 3415 [juris para. 21] = NJW 1983, 1257 - Cilfit and Others; judgment of 1 October 2015 - C-452/14, GRUR Int. 2015, 1152 [juris para. 43] - Doc Generici; judgment of 6 October 2021 - C-561/19, NJW 2021, 3303 [juris paras. 32 et seq.] - Consorzio Italian Management and Catania Multiservizi). There is no relevant question regarding the interpretation of EU law that has not already been clarified by the case law of the Court of Justice or cannot be answered beyond doubt.
C. Accordingly, the appeal on points of law must be dismissed at the defendant's expense (Section 97(1) of the Code of Civil Procedure).
Koch Löffler Schmaltz
Odörfer Wille
23 I ZR 223/19 of March 27, 2025 | rewis.io
