VG Hannover - 10 A 502/19: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 53: Line 53:
}}
}}


The Administrative Court of Hannover ruled that an online pharmacy cannot oblige customers to provide their gender and date of birth for orders of medical products which do not require a gender or age-specific dosage.
The Administrative Court of Hanover ruled that an online pharmacy cannot oblige customers to provide their title and date of birth for orders of medical products that do not require a gender or age-specific dosage.


==English Summary==
==English Summary==


=== Facts===
=== Facts===
The plaintiff operated an online pharmacy located in Germany. The pharmacy allowed customers to order medical products online with or without a customer account. For any order without an account, however, customers were required to enter their title (Ms./Mr.) and date of birth in the online form. After receiving a complaint of a data subject the Data Protection Authority of Lower Saxony investigated the case.
The plaintiff operated an online pharmacy located in Germany. The pharmacy allowed customers to order medical products with or without a customer account. For any order without an account, however, customers were required to enter their title (Ms./Mr.) and thier date of birth in the online form. After receiving a complaint from a data subject the Data Protection Authority of Lower Saxony investigated the case.


The pharmacy argued that information on the date of birth was required to ensure the full legal capacity of the customer and therefore necessary to perform the contract. Furthermore, obtaining the birth date was necessary to comply with legal obligations. Medications were generally associated with health risks and side effects and must be dosed appropriately for the customer’s age. In terms of the gender, the pharmacy argued that collecting such data would allow for a more customer-friendly communication and therefore serve an overriding legitimate interest.
The pharmacy argued that information on the date of birth was required to ensure the full legal capacity of the customer and was therefore necessary to perform the contract. Furthermore, obtaining the birth date was required to comply with legal obligations. Since medications were generally associated with health risks and side effects and they must be dosed appropriately for the customer’s age. In terms of the title, the pharmacy argued that collecting such data would allow for a more customer-friendly communication and therefore serve an overriding legitimate interest.


The DPA found that the blanket collection of such data irrespective of a gender or age specific application of the ordered medication violates the principles of lawfulness and data minimization. Accordingly, the corresponding query must be omitted if it is not necessary for a gender- or age-appropriate dosing. Furthermore, the pharmacy lacks to mention the purpose of collecting gender data to pursue legitimate interests which violates the principle of transparency. Consequently, the DPA ordered the pharmacy to refrain from the collection of such information in the online ordering process where the necessity of such information is not indicated by the type of the medication ordered.
The DPA found that the blanket collection of such data irrespective of a gender or age specific application of the ordered medication violates the principles of lawfulness and data minimization. Accordingly, the corresponding query must be omitted if it is not necessary for a gender- or age-appropriate dosing. Furthermore, the pharmacy lacks to mention the purpose of collecting gender data to pursue legitimate interests which violates the principle of transparency. Consequently, the DPA ordered the pharmacy to refrain from the collection of such information in the online ordering process where the necessity of such information is not indicated by the type of the medication ordered.
Line 67: Line 67:
The Administrative Court of Hanover hold that the DPA’s order against the online pharmacy is lawful and does not violate the pharmacies’ rights.
The Administrative Court of Hanover hold that the DPA’s order against the online pharmacy is lawful and does not violate the pharmacies’ rights.


While the pharmacy has special contractual duties to provide information on their products and proper use, including an age-appropriate dosage, this does not justify the collection of the date of birth for all orders. Many products in the pharmacy’s assortment (e.g. plasters, bandages, creams, etc.) were applicable irrespective of the customer’s age. In such cases, the processing of the birth date cannot be founded on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]. Similarly, there is no evident legal obligation to obtain this data for non-prescriptive medication that do not require an age-dependent dosage in terms of [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]].
While the pharmacy has special contractual duties to provide information on their products and proper use, including an age-appropriate dosage, this does not justify the collection of the date of birth for all orders. Many products in the pharmacy’s assortment (e.g. plasters, bandages, creams, etc.) were applicable irrespective of the customer’s age. In such cases, the processing of the birth date cannot be founded on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]. Similarly, there is no evident legal obligation to obtain this data for non-prescriptive medication that does not require an age-dependent dosage in terms of [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]].


Similarly, the court hold that the collection of data on the gender and birth date within orders of such products cannot be based on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. Regarding the birth date, asking for the age of majority represents a milder mean instead. In terms of the title, a gender-neutral communication can be adressed. However, the pharmacy had already taken measures during the procedure, adding an option of “do not specify” regarding the title along with additional information in their privacy policy.
Similarly, the court hold that the collection of data on the gender and birth date within orders of such products cannot be based on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. Regarding the birth date, asking for the age of majority represents a milder mean instead. In terms of the title, a gender-neutral communication may be adressed. However, the pharmacy had already taken measures during the procedure, adding an option of “do not specify” in the title section along with additional information in their privacy policy.


==Comment==
==Comment==

Revision as of 09:24, 24 November 2021

VG Hannover - 10 A 502/19
Courts logo1.png
Court: VG Hannover (Germany)
Jurisdiction: Germany
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6(1)(b) GDPR
Article 6(1)(c) GDPR
Article 6(1)(f) GDPR
Decided: 09.11.2021
Published:
Parties: Online Pharmacy
Data Protection Authority of Lower Saxony
National Case Number/Name: 10 A 502/19
European Case Law Identifier: VGHANNO:2021:1109.10A502.19.00
Appeal from: LfD (Lower Saxony)
Appeal to: Unknown
Original Language(s): German
Original Source: Niedersächsisches Landesjustizportal (in German)
Initial Contributor: Jannik

The Administrative Court of Hanover ruled that an online pharmacy cannot oblige customers to provide their title and date of birth for orders of medical products that do not require a gender or age-specific dosage.

English Summary

Facts

The plaintiff operated an online pharmacy located in Germany. The pharmacy allowed customers to order medical products with or without a customer account. For any order without an account, however, customers were required to enter their title (Ms./Mr.) and thier date of birth in the online form. After receiving a complaint from a data subject the Data Protection Authority of Lower Saxony investigated the case.

The pharmacy argued that information on the date of birth was required to ensure the full legal capacity of the customer and was therefore necessary to perform the contract. Furthermore, obtaining the birth date was required to comply with legal obligations. Since medications were generally associated with health risks and side effects and they must be dosed appropriately for the customer’s age. In terms of the title, the pharmacy argued that collecting such data would allow for a more customer-friendly communication and therefore serve an overriding legitimate interest.

The DPA found that the blanket collection of such data irrespective of a gender or age specific application of the ordered medication violates the principles of lawfulness and data minimization. Accordingly, the corresponding query must be omitted if it is not necessary for a gender- or age-appropriate dosing. Furthermore, the pharmacy lacks to mention the purpose of collecting gender data to pursue legitimate interests which violates the principle of transparency. Consequently, the DPA ordered the pharmacy to refrain from the collection of such information in the online ordering process where the necessity of such information is not indicated by the type of the medication ordered.

Holding

The Administrative Court of Hanover hold that the DPA’s order against the online pharmacy is lawful and does not violate the pharmacies’ rights.

While the pharmacy has special contractual duties to provide information on their products and proper use, including an age-appropriate dosage, this does not justify the collection of the date of birth for all orders. Many products in the pharmacy’s assortment (e.g. plasters, bandages, creams, etc.) were applicable irrespective of the customer’s age. In such cases, the processing of the birth date cannot be founded on Article 6(1)(b) GDPR. Similarly, there is no evident legal obligation to obtain this data for non-prescriptive medication that does not require an age-dependent dosage in terms of Article 6(1)(c) GDPR.

Similarly, the court hold that the collection of data on the gender and birth date within orders of such products cannot be based on Article 6(1)(f) GDPR. Regarding the birth date, asking for the age of majority represents a milder mean instead. In terms of the title, a gender-neutral communication may be adressed. However, the pharmacy had already taken measures during the procedure, adding an option of “do not specify” in the title section along with additional information in their privacy policy.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.














seek
Advanced Search
dishes
Areas of law
RSS
Lower Saxony regulations information system NI-VORIS







Jurisprudence of the Lower Saxony judiciary



 








Document viewData protection prohibition order for data processing of the date of birth and the salutation An online mail-order pharmacy may not process the date of birth and the salutation for every product during the ordering process.
Judgment of
09.11.2021, 10 A 502/19, ECLI: DE: VGHANNO: 2021: 1109.10A502.19.00Art 5 EUV 2016/679, Art 6 EUV 2016/679 Tenor The proceedings will be discontinued if the parties involved in the legal dispute with regard to numbers 2 and 3 of the defendant's decision dated January 8th, 2019. Otherwise, the claim is dismissed. The plaintiff bears the costs of the proceedings. The decision is provisionally enforceable because of the costs. The enforcement debtor may avert enforcement by providing security in the amount of 110% of the enforceable amount, unless the enforcement creditor provides security in the amount of 110% of the enforceable amount prior to enforcement Failure to collect and process certain data in the ordering process is directed on their website.2The plaintiff is a company based in D .. It operates an online mail-order pharmacy under the brand "E.", which is available at "https: //www.E ..de ”. On October 6, 2018, a private person filed an online complaint with the Bavarian State Office for Data Protection Supervision (hereinafter: BayLDA) with regard to the online mail-order pharmacy operated by the plaintiff and complained about the type and scope of the data collection during the ordering process. The BayLDA forwarded this complaint to the defendant by email dated October 15, 2021 for processing on its own responsibility If the customer opts for the “Order without registration” option and then selects the “Continue without customer account” field, an order form is displayed which includes the form of address (with the selection options “Ms. "Or" Mr. ") and asks for the date of birth. Thereupon the defendant turned in the context of a supervisory examination procedure according to Art. 57 Para. 1 lit. a) and lit. f) and Art. 58 Para. 1 lit b) General Data Protection Regulation (hereinafter: GDPR) with a hearing dated November 2nd, 2018 to the applicant. The collection and processing of the salutation and date of birth violates the data protection principles of legality and data minimization. In a letter dated November 14, 2018, the plaintiff informed the supervisory authority that, in its opinion, the collection of the salutation and date of birth of the customers in order to fulfill the contract with the Customers as well as legal requirements. The collection and processing of the date of birth serve, among other things, to find out whether the contractual partner has limited or full legal capacity, because in the case of limited legal capacity, the custodian of the customer would have to approve the contract. The collection of this personal data is also permissible on the basis of a weighing of interests for the person responsible, because health risks / side effects are usually associated with the use of medication. Against this background, the age query is essential. Where necessary, the pharmacist must be able to dose medication according to age or be able to take into account the manufacturer's age recommendations. If pharmacists fail to carry out such an examination, they run the risk of dispensing medication that is not age-appropriate to customers and thus seriously violating contractual obligations. The query of the salutation serves a friendly and customer-appropriate address and therefore justifies an overriding legitimate interest of the plaintiff in the data processing.6 In a letter dated December 6, 2018, the defendant pointed out to the plaintiff that, even taking into account the comments made, violations of data protection law could still be ascertained. It is not necessary to collect the date of birth in every case. The corresponding query must be omitted if it is not necessary for age-appropriate dosage or to take into account the manufacturer's age recommendations. The blanket collection of the salutation regardless of whether the drug ordered has a gender-specific area of application in individual cases, violates the data protection principles of legality and data economy. In addition, there was a violation of the transparency requirement if the salutation was based on a legitimate interest in being addressed in a friendly manner. This legitimate interest is not mentioned as a legal basis either in the data protection declaration or in the order form.7 The plaintiff responded to this with a letter dated December 28, 2018 and deepened her presentation from the hearing process .2019 to refrain from collecting and / or having collected and processed the date of birth of the customer on the website with the URL https: //www.E..de in the ordering process, regardless of the type of medication ordered / or to have it processed (Section 1 of the notification). In addition, the defendant instructed the plaintiff to refrain from using the salutation, which was collected on the website with the URL https: //www.E..de in the order process, to fulfill the contract from January 23, 2019, if and insofar as the subject matter of the order is medication that is not to be dosed and / or taken in a gender-specific manner (section 2 of the notification). Finally, the defendant instructed the plaintiff to enable the legal basis for the collection and processing of the salutation in the ordering process, a friendly and customer-appropriate approach and communication, on the website with the URL https: //www.E .. de (section 3 of the decision). The defendant stated as a justification: The design of the ordering process contradicts the GDPR. There is a violation of the principle of data economy. The collection and processing of the date of birth is not permitted under data protection law, regardless of whether the individual case is a drug that has to be dosed in an age-appropriate manner. If a drug is to be taken regardless of age, it is not necessary to collect the date of birth in order to properly fulfill the purchase contract with the customer. The collection and processing of the date of birth could not be based on the safeguarding of a legitimate interest. The certainty as to whether someone has limited legal capacity or not and thus the consent or approval of the parents or other owners of property care is to be requested is a legitimate interest. For this, however, it is sufficient to query the age of majority as such. The processing of the salutation is not always necessary to fulfill the contract. If a drug is to be taken regardless of gender, it is not necessary to process the salutation. A friendly and customer-appropriate approach and communication is indeed an ideal interest in self-expression and thus there is basically a legitimate interest for the plaintiff within the meaning of the GDPR. However, this is not mentioned in the data protection declaration and in the order form, or otherwise on the plaintiff's website, so that there is a violation of the transparency requirement.9 In the meantime, the plaintiff has inserted the option "no information" in her order form with regard to the salutation "Mr / Ms" and Its data protection declaration is supplemented to the effect that this date is requested for the purpose of friendly and customer-appropriate approach and communication as well as on the basis of Art. 6 Paragraph 1 Clause 1 lit. . As a justification, it repeats and deepens its presentation from the administrative procedure. In addition, she essentially submits that the legality of the collection and use of the date of birth also results from Section 2 (1) No. 3 of the Ordinance on the Prescription of Medicinal Products (hereinafter: AMVV). According to this, pharmacists are only allowed to dispense medicinal products to buyers according to a medical prescription if the corresponding prescription contains certain data. This also includes the date of birth. The collection and processing of the date of birth are mandatory from this regulation. In addition, § 1 of the professional code of the Lower Saxony Chamber of Pharmacists results in an obligation to advise on age-appropriate dosage of medication, so that the collection and processing of the date of birth is also necessary and does not constitute a violation of data protection law. For this it is also not sufficient to simply ask for an age range. In addition, it can generally be assumed that the person who purchases the drug is also the person who will consume it later. In contrast to the pharmacy, the online retailer cannot use the external appearance of the person to estimate how old the person ordering the drug is and what scope of advice may be required. This is counteracted by querying the date of birth. The decision of a pharmacist as to which data from his point of view are necessary for high-quality, careful and comprehensive advice is part of his professional right protected by Art. 12 GG. The applicant also has a legitimate interest in inquiring about the date of birth in order to inquire about the age of majority of the customer and thus to be able to assess the effectiveness of the contract. This can be done more reliably by querying the specific date of birth. Because the inhibition threshold to enter three incorrect dates (day, month and year) is lower than simply ticking the box to confirm the age of majority. With regard to the collection of gender / salutation, the plaintiff now states in its data protection declaration that the processing of gender-specific information serves the purpose of friendly and customer-appropriate communication. Since this is obvious to the customer, there was no legal obligation to do so. In addition, pharmacists would have to take into account, in particular, the aspects of drug safety when providing information and advice on drugs according to Section 20 of the Pharmacy Operation Regulations (ApBetrO). This also includes advising on any side effects and interactions with other drugs. Regardless of whether the drug ordered is gender-related, the suitability of a drug can only be correctly assessed if the pharmacist knows the gender and can therefore estimate which other drugs the patient may be taking in order to be able to ask relevant questions. Finally, the defendant's orders are also disproportionate. The plaintiff was unreasonably imposed to change their order processes.11 The plaintiff originally requested the complete annulment of the defendant's decision of January 8, 2019. After the parties agreed that the legal dispute with regard to items 2 and 3 of the decision was settled in the oral hearing, the plaintiff also requests that item 1 of the defendant's decision of January 8, 2019 be set aside. 13 The defendant requests that the action be dismissed Justification, she deepens her presentation from the preliminary proceedings and refers to the justification of the disputed decision. In addition, she submits: Orders of prescription drugs using the web form provided by the plaintiff are not possible. The ordering process for such drugs is - this is undisputed - exclusively by analogue means by post. A separate order form is provided here. Accordingly, the plaintiff could not refer to Section 2 (1) No. 3 AMVV as far as the general query of the date of birth was concerned. A necessity to query the date of birth and gender does not follow from the legally anchored information and advice mandate of pharmacists. In order to actually be able to fulfill this, the advising pharmacist must know who will take the drug. However, it just does not correspond to the reality of life that the drug is always intended for the person who actually purchases it in the pharmacy or who orders it on the Internet. In addition, the suitability of processing the salutation to determine the further need for advice is doubtful in cases in which the biological and the lived sex of a person differ. With regard to the principle of data minimization, it should also be sufficient in a large number of cases to query the age range, e.g. whether someone is between 18 and 35 years old or whether the drug is intended for use on an infant or child. If, in individual cases, it is necessary to know the exact age for advice, this information can be requested within the framework of a telephone inquiry / advice. Section 17 (2a) no. 7 ApBetrO, according to which the pharmacy manager must ensure that the person being treated is informed that, as a prerequisite for the delivery of the pharmaceuticals, they must provide a telephone number with their order in order to give advice over the phone, also speak in favor of such handling enable. In addition, the legislature has only provided for the request for telephone number as a mandatory regulation for the dispatch of ordered drugs. If the legislature had wanted to make it a condition that the date of birth be communicated in advance, it would have expressly regulated it - as with the telephone number. The query of the date of birth is also not necessary for the fulfillment of main or secondary contractual obligations. Contrary to the legal opinion of the plaintiff, it is not necessary to state the legal basis for the collection and processing of the salutation in the ordering process. It is not obvious that this survey should be carried out in a customer-friendly and customer-appropriate manner. Finally, the disputed orders are also proportionate. It is not a matter of imposing unreasonable changes in business processes. Lesser means - such as a warning - would not have been available to bring about lawful data processing by the plaintiff.16 For further details of the facts, reference is made to the content of the court file and the administrative procedure involved. Insofar as the parties involved have unanimously declared the legal dispute with regard to items 2 and 3 of the defendant's decision of January 8, 2019 to be settled, the proceedings must be discontinued in accordance with Section 92 (3) sentence 1 VwGO. 18II. Otherwise, the admissible action remains unsuccessful. The defendant's decision of January 8, 2019 is lawful with regard to the prohibition order contained in Section 1 and does not violate the plaintiff's rights (Section 113 (1) sentence 1 VwGO) .191. The legal basis for the dispute is Article 58 (2) (d) of the General Data Protection Regulation (GDPR), Regulation no and to repeal RL 95/46 / EG (OJ L 119) in conjunction with Section 20 (1) Lower Saxony Data Protection Act (NDSG). According to this, every supervisory authority has all of the following remedial powers, which allow it to instruct the controller or the processor to bring processing operations into compliance with this regulation in a certain way and within a certain period of time. The order in section 1 of the defendant's decision of January 8, 2019 is formally lawful. The defendant is the supervisory authority responsible for monitoring non-public bodies that collect, process or use personal data, in particular on the basis of Art. 51 Paragraph 1 GDPR in conjunction with Section 40 Paragraph 1 Federal Data Protection Act (BDSG), Section 22 Paragraph 1 No. 1 NDSG . In this respect, Art. 51 (1) GDPR instructs the member states of the European Union to create an independent authority to monitor the application of the regulation. On the basis of this regulation, the federal legislature revised Section 40 (1) of the Federal Data Protection Act (BDSG) with effect from May 25, 2018 and transferred the monitoring of the scope of the GDPR for non-public bodies to the states (see Art. 1 and Art. 8 Data Protection Amendment and Implementation Act EU dated June 30, 2017; Federal Law Gazette I 2017, p. 2097). The Lower Saxony legislature has delegated the performance of these tasks to the state commissioner for data protection in Section 22 (1) No. 1 NDSG. 213. The orders are also substantively lawful.22a) The order of the defendant in section 1 of the decision of January 8, 2019 regarding the processing of the date of birth satisfies the certainty requirement following the rule of law. The principle of certainty requires that the content of the official decision is understandable for the addressee. The addressee must be able to recognize what is required of him. The authority's will must be fully and clearly expressed. However, it is sufficient if the content of the administrative act can be determined by interpretation based on its justification and taking into account circumstances known to the parties involved (cf. Bayerischer VGH, decision of 02.26.2007 - 1 ZB 06.2296 -, juris mwN ). In the order at issue it only states that it is ordered to refrain from collecting and processing the date of birth “regardless of the type of medication ordered” in the ordering process. In connection with the reasons for the decision, however, it clearly emerges that an omission of data collection will only be ordered for those products that can be ordered on the plaintiff's website and that do not require age-dependent dosage. The rationale for this number in the notification literally states: "The general collection and processing of the date of birth regardless of whether it is a drug that is to be dosed in an age-appropriate manner in individual cases is not permitted under data protection law." 24b) The date of birth A general personal date is a personal date within the meaning of Art. 4 No. 1 GDPR. The query of this date in the order form on the plaintiff's homepage is also a processing operation within the meaning of the GDPR. Because according to the definition contained in Art. 4 No. 2 GDPR, the term "processing" refers to any process carried out with or without the help of automated processes or any such series of processes in connection with personal data such as the collection, recording, organization, ordering, the storage, adaptation or modification, reading, querying, use, disclosure by transmission, dissemination or any other form of provision, comparison or linking, restriction, deletion or destruction.25c) the collection and Processing of the date of birth regardless of which product is ordered violates the principle of legality set out in Art. 5 Para. 1 lit. a GDPR and thus contradicts the GDPR Data are processed lawfully. This corresponds to the requirement of Art. 8 Para. 2 Clause 1 of the EU Charter of Fundamental Rights (GRC), according to which personal data may only be processed with the consent of the person concerned or on the basis of other legally regulated legitimate bases. Article 6 (1) GDPR takes up this principle by requiring that one of the legal bases for data processing regulated there must be present (see Schantz, in: BeckOK Datenschutzrecht, 37th Ed., As of May 1st, 2020, Article 5 GDPR, Rn. 5) .27 The collection and processing of the date of birth in the ordering process on the disputed website of the plaintiff - also for products that are to be dosed regardless of age - cannot be based on any of the legal bases mentioned in Art. 6 GDPR. 28aa) After the plaintiff If it is undisputed that no consent is obtained from the customer for data processing during the ordering process, the processing of the date of birth cannot be based on Art. 6 Para. 1 lit. a) GDPR.29bb) The query of the date of birth cannot be based on Art. 6 Para. 1 lit. b) GDPR are supported. According to this, the processing of personal data is lawful if it is necessary to fulfill a contract or to carry out pre-contractual measures. This is not the case here. The phrase “to fulfill a contract” must not be understood too narrowly in the legal technical sense. In addition to the "fulfillment" in the narrower sense, the preparation and initiation of the contract, its implementation as well as its processing, in particular for the fulfillment of warranty obligations or secondary performance obligations, are recorded (see Plath, in: Plath, DSGVO / BDSG, 3rd edition 2018, Article 6 GDPR, Rn. 11). Pre-contractual measures can also legitimize processing, but only if they are "carried out at the request of the person concerned". If there is a contract within the meaning of Art. 6 Paragraph 1 lit. If this is the case, a further balancing of interests is basically unnecessary (Plath, in: Plath, DSGVO / BDSG, 3rd edition 2018, Article 6 DSGVO, marginal 16). The GDPR does not explicitly define the concept of necessity. However, recital 39 provides a clue. Here it says: “Personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means.” The use of the term “reasonableness” allows the conclusion that, in principle, no excessively strict standards may be set for determining the necessity. Accordingly, it is argued that data processing is already necessary when no milder, economically equally efficient means is available to achieve the corresponding purpose with the same security (Plath, in: Plath, DSGVO / BDSG, 3rd edition 2018, Art. 6 GDPR, Rn. 18). Processing of personal data is also considered necessary if it is not essential for the conclusion of the contract, but can be seen as beneficial for the achievement of the business purpose. Accordingly, the necessity must also be assumed if a milder means is available, i.e. the legal transaction could also be carried out without the specific use of the data, but the choice of such a means with disadvantages for the person responsible and / or those concerned People would be connected. This applies all the more if the data is also used in the interests of the data subject, for example to enable better service or faster processing. In addition to the processing of the so-called "master data" such as the name, address and payment information, depending on the individual case, the processing of "further data", such as the processing of the date of birth, at least the year of birth, to verify the legal capacity or a Minimum age or to differentiate between several customers of the same name. In the context of this individual decision, the principle of data minimization from Art. 5 Paragraph 1 lit. based on this standard, the collection and processing of the exact date of birth, which is made up of day, month and year, is not required to fulfill the contract for products to be dosed regardless of age. Typically, the applicant and the persons ordering from its website conclude a purchase agreement for the product ordered. In order to fulfill this contract, the plaintiff is obliged to hand over the product to the customer and to obtain ownership of it, while the customer is obliged to pay for the product ordered. In principle, it is not necessary to inquire about the date of birth. The plaintiff must admittedly agree that, as a pharmacy mail order business, it has special advisory, information and clarification obligations and that these are (probably) also to be classified as secondary contractual obligations. The pharmacist has to advise and inform patients and other customers as well as those authorized to practice medicine, veterinary medicine or dentistry about drugs and pharmacy-only medical devices. The information and advice on medicinal products must, in particular, take into account aspects of medicinal product safety and include the appropriate use of the medicinal product. The pharmacist also has to inform and advise about possible side effects or interactions resulting from the information on the prescription and the information provided by the patient or customer as well as about the proper storage or disposal of the drug, insofar as this is necessary. He has to conscientiously determine with patients and other customers to what extent they may need further information and advice, and offer them appropriate advice. In the case of self-medication, it must also be determined whether the desired drug appears suitable for use by the intended person or in which cases it is advisable to consult a doctor if necessary (cf. for Lower Saxony, § 9 Professional Code of the Lower Saxony Chamber of Pharmacists) .31 The Chamber does not doubt that advice on age-appropriate dosage may also be necessary in this context. Regardless of whether, for the purpose of age-appropriate advice, querying the customer's date of birth is actually the right means - in this respect the Chamber shares the view of the defendant that consequently the age of the person should be queried for whom the ordered product is intended to be used / ingested which does not necessarily have to be the same person as that of the customer - a look at the plaintiff's product range shows that a large assortment of goods is offered on the disputed website, which are obviously used or consumed regardless of age. Correspondingly, the corresponding products can also classically be purchased in a drugstore, which in principle does not offer advice from a pharmacist. Only the following product fields are mentioned here as examples: plasters, bandages, facial and body care creams, foot baths, insoles, perfumes, room fragrances, hand and nail care products and hair care products. A special age-related need for advice is not recognizable for these products; special age-related secondary obligations such as an obligation to advise on the contract cannot therefore be conceived for these products.32 Furthermore, there are some indications that the plaintiff is only advancing the argument of age-appropriate advice. If the query of the date of birth actually serves to provide age-appropriate advice, it does not make sense why other data that are necessary for adequate advice - such as questions about pregnancy / use of other medication - are not asked.33 The plaintiff also does not press the Argument through that she must ask for the date of birth to check the legal capacity of the customer. The risk of a reversal in the case of pending and ineffective contracts can be countered with the simple query of the age of majority. As far as the plaintiff thinks that the inhibition threshold to provide false information is lower with this type of query than when the entire date of birth is queried, the chamber does not follow this. Rather, it can be assumed that people who want to abuse the anonymity of “online shopping” are not deterred by having to provide a full date of birth. In addition, it should be pointed out that querying the date of birth, at least in those cases in which the legal incapacity does not result from the age but from the state of health of the customer, is also not suitable to protect the claimant from (pending) ineffective contracts. 34If the date of birth could be required as an identification criterion for online ordering processes in individual cases, the plaintiff has not asserted that the date of birth is required for this purpose.35cc) The query of the date of birth cannot be based on Art. 6 Para. 1 lit. c) GDPR supported. According to this, data processing is permitted if it is necessary to fulfill a legal obligation to which the person responsible is subject. In contrast to Article 6 (1) (b) GDPR, Article 6 (1) (c) GDPR with “legal obligation” does not mean a contractual obligation based on an autonomous decision, but an obligation based on the law of the Union or a member state. Such a legal obligation is not evident for the plaintiff's range of products, which do not require age-dependent dosage.36 In particular, it does not result from Section 2 (1) No. 3 of the Medicinal Prescription Ordinance. According to this standard, a prescription must contain the name and date of birth of the person for whom the medicinal product is intended.37 The plaintiff cannot rely on this provision because the only subject at issue in the present dispute is the ordering process for over-the-counter products on the plaintiff's website. Ultimately, only those can be ordered without registration using the ordering process described by the defendant. The order of prescription drugs via the plaintiff's website takes place in a separate way and requires the prescription to be sent by post.38 If the above-mentioned information and advice obligations of pharmacists are not to be qualified as secondary contractual obligations, but as statutory obligations, then it is for those products offered by the plaintiff that are to be dosed / used regardless of age are to be referred to the statements set out under bb). 39dd) The query of the date of birth for products to be dosed irrespective of age can ultimately not be based on Art. 6 Para. 1 lit. ) GDPR are supported. According to this, data processing is lawful if the processing is necessary to safeguard the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, outweigh them, in particular if it is the person concerned is a child. The necessity of processing is also assumed here, as under lit. . 2018, Article 6 GDPR, Rn. 56) .40 Insofar as the plaintiff submits that it has a legitimate interest in being able to find out whether the customer is (limited) legally competent due to his age, this must be weighed against this The right to informational self-determination of the respective purchaser from Article 2, Paragraph 1 in conjunction with Article 1, Paragraph 1 of the Basic Law, which conflicts with interest, is not in the present case because it already fails because of the need to collect data for this purpose. In this regard, the plaintiff must - as already explained - refer to the milder, equally efficient means of inquiring about the age of majority.41d) The order made is also not disproportionate. It is suitable for preventing the objection to the GDPR. There is also no evidence of a milder equally efficient means of eliminating the illegal situation - in particular, the defendant did not have to limit itself to the means of warning after the plaintiff had already indicated in the official hearing that it did not recognize a data breach with regard to the processing of the date of birth . It is also not apparent that it would be unreasonable or unreasonable for the plaintiff to technically design its website in such a way that the date of birth is only requested for those products for which age-related advice is required. The Chamber is also aware of this from other online retailers who, for example, offer video games with an age restriction or spirits and whose website provides a special query for these products only. The Chamber also does not assume that a corresponding change of the website will result in significant economic losses - albeit with a certain amount of work - which the plaintiff has in favor of the informational self-determination of its customers from Art. 2 Para. 1 in conjunction with Art. 1 Para. 1 GG.42 III. The decision on costs is a mixed cost decision (Section 155 (1) Sentence 1 VwGO) on the one hand from Section 154 (1) VwGO, insofar as the action has been upheld and the plaintiff has been unsuccessful, and on the other hand from Section 161 (2) VwGO as a decision of the court taking into account the current state of affairs and the dispute at its reasonable discretion, provided that the parties have declared the proceedings to be settled. It is reasonable if the plaintiff bears the costs for this part as well.43 The plaintiff has declared the legal dispute with regard to paragraphs 2 and 3 of the disputed decision to be settled after it has itself adjusted its order form and its data protection declaration. With regard to the salutation in the order form, in addition to the selection options “Mr / Ms”, there is now also the option of making “no information”. In addition, the plaintiff has added the information to its data protection declaration that the salutation is processed for the purpose of friendly and customer-appropriate address and communication and that processing is carried out on the basis of Art. 6 Paragraph 1 Clause 1 lit.f) GDPR. Accordingly, it can be assumed that it has factually accepted the defendant's decision in this regard and for this reason will no longer pursue the lawsuit. This is tantamount to a hidden withdrawal of the lawsuit.44 However, your lawsuit would have had no prospect of success in this regard either. The collection and processing of gender / the salutation for the fulfillment of the contract in the order process on the disputed website of the plaintiff - also for products that are to be dosed or taken / used regardless of gender - cannot be based on Art. 6 Para. 1 lit. b GDPR 45 In this regard, too, the Chamber generally recognizes that pharmacists have to fulfill special information and advice obligations as secondary contractual obligations. For certain products, pharmacists will also have a gender-specific advisory obligation. However, it is also true here that a look at the disputed website of the plaintiff shows that a large number of the products it offers do not require special gender-specific advice. With regard to these products, data processing cannot therefore be based on Article 6 (1) (b) GDPR. As with the products to be dosed regardless of age, the plaintiff can be expected to design the ordering process in such a way that the gender / salutation is only queried for products that require gender-specific advice. Such a procedure would also have the advantage that it should also become clear to the purchaser that it depends on the one hand on the biological sex and on the other hand on the sex of the person for whom the product is actually intended in later use .46 Insofar as the salutation to safeguard a legitimate interest of the plaintiff within the meaning of Art. 6 Para. 1 Clause 1 lit.f GDPR may be collected and processed in the ordering process on the plaintiff's website, the failure to mention the legal basis for this data processing violated the in Art 5 Paragraph 1 lit. a in conjunction with Art. 12 Paragraph 1 and Art. 13 Paragraph 1 lit. c GDPR standardized transparency principle. Art. 5 para. 1 sentence 1 lit. a GDPR requires that the data subject must be able to understand the data processing. Recital 39 sentence 2 makes it clear that the person concerned must already have prospective clarity about future data processing, because this is the only way for the person concerned to maintain control over their personal data (see recital 7 sentence 2) (Schantz, in : BeckOK data protection law, 37th ed., As of May 1st, 2020). This principle is specified in Art. 12 GDPR, which in turn refers to Art. 13, 14 and 15-22 as well as Art. 34 GDPR. Article 13 (1) GDPR provides in lit. c to the effect that the purposes of the intended data processing and the legal basis for this are to be specified. For this purpose, it is sufficient if a corresponding catchphrase is mentioned with regard to the purpose and, with regard to the legal basis, one or more of the case groups mentioned in Art. 6 Paragraph 1 is cited (Kamlah, in: Plath, DSGVO / BDSG, 3. Edition 2018, Article 13 GDPR, Rn. 11). At the decisive point in time when the decision was issued on January 8, 2019, it was not indicated in the data protection declaration of the applicant or in the order form itself that the query of the salutation is collected and processed to enable a friendly and customer-appropriate address and communication and thus a legitimate interest of The applicant in the sense of the legal basis of Article 6 (1) (f) GDPR.47The applicant cannot refer to Article 13 (4) GDPR in this regard. According to this, it is not necessary to state the purpose and legal basis of the data processing if and to the extent that the person concerned already has the information. The existing knowledge can in principle also be justified by the fact that the circumstances are obvious (see Kamlah, in: Plath, DSGVO / BDSG, 3rd edition 2018, Article 13 DSGVO, Rn. 31d). With regard to the fact that customers are regularly addressed in order confirmations without specific or gender-neutral address (for example "Dear customer, dear customer") and the collection of the salutation / gender also other reasons - such as those given by the applicant herself gender-specific advice - it does not in the present case suggest that the purpose of the corresponding data processing is customer-friendly and appropriate addressing, which can be based on Art. 6 Para. 1 lit. f GDPR.48IV. The decision on the provisional enforceability is based on § 167 VwGO in connection with § 708 No. 11 and § 711 sentences 1 and 2 ZPO. You can copy and use this link if you want to link precisely this document: https: //www.rechtsprechung.niedersachsen.de/jportal/? Quelle = jlink & docid = MWRE210003991 & psml = bsndprod.psml & max = true










 











To press





seek
Advanced Search
dishes
Areas of law
RSS
Lower Saxony regulations information system NI-VORIS



Image rights
imprint
data protection
Contact
table of contents


to the top