ARTICLE
26 November 2024

CJEU Ruling Expands GDPR Rules For Health-Related Data

LP
Logan & Partners

Contributor

Logan & Partners logo
Logan & Partners is a Swiss law firm focusing on Technology law and delivering legal services like your in-house counsel. We are experts in Commercial Contracts, Technology Transactions, Intellectual Property, Data Protection, Corporate Law and Legal Training. We are dedicated to understanding your industry and your business needs and to deliver clear and actionable legal services.
In a significant decision on 4 October 2024, the Court of Justice of the European Union clarified the interpretation of ‘data concerning health' under the General Data Protection Regulation...
Switzerland Privacy

In a significant decision on 4 October 2024, the Court of Justice of the European Union clarified the interpretation of 'data concerning health' under the General Data Protection Regulation (GDPR). This ruling has important implications for online pharmacies and e-commerce platforms handling health-related products.

1. Background of the Case

This case arose from a dispute between two pharmacists in Germany, ND and DR, concerning the online sale of pharmacy-only medicinal products. ND operated a pharmacy that marketed and sold such products through an e-commerce platform (Amazon-Marketplace). DR, a competitor, alleged that ND's practices violated data protection laws under the GDPR, as the collection and processing of customer purchase data involved sensitive personal information, specifically health data.

The case was referred to the Court of Justice of the European Union (Court) by the German Federal Court of Justice, seeking clarity on two key issues:

  • Does the data collected in the context of selling pharmacy-only products qualify as 'data concerning health' under the GDPR?
  • Can a competitor, such as DR, bring legal proceedings to enforce GDPR compliance, assuming such action is permitted under national law?

Key Aspects of the Decision

  • Definition of 'Data Concerning Health': The Court determined that information about the purchase of pharmacy-only medicinal products qualifies as 'data concerning health' under Article 4(15) of the GDPR. This is because such data can reveal information about an individual's health status.
  • Processing Conditions: The Court emphasised that processing health data is generally prohibited unless specific conditions are met, as outlined in Article 9(2) of the GDPR. These conditions include obtaining explicit consent from the data subject or fulfilling obligations in the field of employment and social security law.
  • Enforcement by Competitors: The ruling also addressed whether a competitor, such as DR, has the standing to bring a legal action against another business for alleged GDPR violations. The Court concluded that competitors could initiate such actions if national law permits and if the infringement affects the competitor's interests.

2. Practical Implications for Businesses

The decision clarifies the scope of 'data concerning health' and underscores the compliance responsibilities for businesses, especially in e-commerce. Below are the key implications:

  • Online Pharmacies: If you operate an online pharmacy or sell pharmacy-only medicinal products, this decision directly affects you. Customer purchase data related to these products now falls under the category of 'data concerning health,' even if it appears non-sensitive at first glance.
  • E-commerce Platforms: E-commerce platforms that enable third-party vendors to sell health-related products may find themselves implicated in the processing of sensitive health data. Even if the platform itself doesn't directly sell these products, it may process customer data (e.g. purchase details or transaction information) that reveals health-related insights.
  • Health-Related Products and Services: The implications are not limited to pharmacies. Other businesses—such as fitness services, dietary supplement vendors, or wellness apps—must consider whether their data processing activities reveal health-related information.
  • Competitor Actions: Companies should be aware that competitors may have the legal standing to challenge their data processing practices if they are deemed non-compliant with data protection laws, depending on national legislation.

3. Key Compliance Actions for Businesses

To mitigate risks and ensure adherence to GDPR requirements:

  • Review Data Collection Processes: Examine whether any customer data you collect may reveal health information, either directly or indirectly.
  • Obtain Explicit Consent: Ensure consent mechanisms meet GDPR standards, especially for sensitive data categories.
  • Vendor Audits: Regularly audit third-party vendors to ensure they meet GDPR standards, especially when handling sensitive data.
  • Train Staff on GDPR Compliance: Ensure employees handling sensitive data understand the heightened requirements for health data.
  • Consult Legal Experts: Regularly review practices with legal counsel to keep pace with evolving GDPR interpretations and case law.

How we can help

If your business handles health-related data or operates in the e-commerce space, we can help you stay compliant with GDPR requirements. From drafting GDPR-compliant data processing agreements to reviewing your data protection practices, our legal experts provide tailored solutions to protect your business.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More