CJEU Ruling Expands GDPR Rules for Health-Related Data
In a significant decision on 4 October 2024, the Court of Justice of the European Union clarified the interpretation of ‘data concerning health’ under the General Data Protection Regulation (GDPR). This ruling has important implications for online pharmacies and e-commerce platforms handling health-related products.
1. Background of the Case
This case arose from a dispute between two pharmacists in Germany, ND and DR, concerning the online sale of pharmacy-only medicinal products. ND operated a pharmacy that marketed and sold such products through an e-commerce platform (Amazon-Marketplace). DR, a competitor, alleged that ND’s practices violated data protection laws under the GDPR, as the collection and processing of customer purchase data involved sensitive personal information, specifically health data.
The case was referred to the Court of Justice of the European Union (Court) by the German Federal Court of Justice, seeking clarity on two key issues:
- Does the data collected in the context of selling pharmacy-only products qualify as ‘data concerning health’ under the GDPR?
- Can a competitor, such as DR, bring legal proceedings to enforce GDPR compliance, assuming such action is permitted under national law?
Key Aspects of the Decision
- Definition of ‘Data Concerning Health’: The Court determined that information about the purchase of pharmacy-only medicinal products qualifies as ‘data concerning health’ under Article 4(15) of the GDPR. This is because such data can reveal information about an individual’s health status.
- Processing Conditions: The Court emphasised that processing health data is generally prohibited unless specific conditions are met, as outlined in Article 9(2) of the GDPR. These conditions include obtaining explicit consent from the data subject or fulfilling obligations in the field of employment and social security law.
- Enforcement by Competitors: The ruling also addressed whether a competitor, such as DR, has the standing to bring a legal action against another business for alleged GDPR violations. The Court concluded that competitors could initiate such actions if national law permits and if the infringement affects the competitor’s interests.
2. Practical Implications for Businesses
The decision clarifies the scope of ‘data concerning health’ and underscores the compliance responsibilities for businesses, especially in e-commerce. Below are the key implications:
- Online Pharmacies: If you operate an online pharmacy or sell pharmacy-only medicinal products, this decision directly affects you. Customer purchase data related to these products now falls under the category of ‘data concerning health,’ even if it appears non-sensitive at first glance.
- E-commerce Platforms: E-commerce platforms that enable third-party vendors to sell health-related products may find themselves implicated in the processing of sensitive health data. Even if the platform itself doesn’t directly sell these products, it may process customer data (e.g. purchase details or transaction information) that reveals health-related insights.
- Health-Related Products and Services: The implications are not limited to pharmacies. Other businesses—such as fitness services, dietary supplement vendors, or wellness apps—must consider whether their data processing activities reveal health-related information.
- Competitor Actions: Companies should be aware that competitors may have the legal standing to challenge their data processing practices if they are deemed non-compliant with data protection laws, depending on national legislation.
3. Key Compliance Actions for Businesses
To mitigate risks and ensure adherence to GDPR requirements:
- Review Data Collection Processes: Examine whether any customer data you collect may reveal health information, either directly or indirectly.
- Obtain Explicit Consent: Ensure consent mechanisms meet GDPR standards, especially for sensitive data categories.
- Vendor Audits: Regularly audit third-party vendors to ensure they meet GDPR standards, especially when handling sensitive data.
- Train Staff on GDPR Compliance: Ensure employees handling sensitive data understand the heightened requirements for health data.
- Consult Legal Experts: Regularly review practices with legal counsel to keep pace with evolving GDPR interpretations and case law.
How we can help
If your business handles health-related data or operates in the e-commerce space, we can help you stay compliant with GDPR requirements. From drafting GDPR-compliant data processing agreements to reviewing your data protection practices, our legal experts provide tailored solutions to protect your business.
Schedule a complimentary 20-minute call with our lawyers to discuss your compliance needs and ensure your data practices meet the latest legal standards.
Image by vectorjuice on Freepik
Read other articles written by Anna Levitina