The Court of Justice of the European Union (“CJEU”) has recently issued a significant judgment in the case “Lindenapotheke” (C-21/23), taking a clear stance on the processing of special categories of personal data, namely health data, in the context of online medicine sales within the pharmaceutical industry. The ruling sheds light on how the General Data Protection Regulation (“GDPR”) applies to the data that users provide when ordering pharmacy-only medicinal products online, even those not subject to prescription, and provides clear guidance on the rights and obligations of data controllers.
Legal Framework: Health Data as a Special Category of Personal Data
Under the GDPR, health data falls within the category of “special categories of personal data” and is subject to a stricter processing regime. Processing of such data is permitted only under specific conditions, such as the explicit consent of the data subject. In the pharmaceutical sector, where sensitive information is routinely processed, correct application of these rules is essential for safeguarding individuals’ rights.
Case Background: How Did the Lindenapotheke Dispute Arise?
The dispute arose between two competing pharmacy chains in Germany, one of which sold non-prescription medicines through pharmacies via the Amazon platform. When placing an order, customers were required to enter various personal data, including their full name, delivery address, and the specific medicine they wished to purchase. Taken together, these data points allowed for reliable inferences to be drawn about the customer’s health condition and individualized treatment. The competing pharmacy chain argued that this constituted unlawful processing of health data, as no explicit consent had been obtained from users. The German courts initially accepted this argument, holding that the processing in question was not in line with the GDPR and amounted to an unfair commercial practice.
CJEU Judgment: Limits and Conditions for Processing Health Data in Pharmaceutical E-Commerce
The Court of Justice of the European Union was asked to consider whether the data that users enter when purchasing pharmacy-only medicines online, although not subject to prescription, should be regarded as health data within the meaning of Article 9 of the GDPR. The Court emphasized that the definition of health data must be interpreted broadly and includes information that may indirectly reveal a person’s health status. However, not every instance of such data processing is automatically high-risk or prohibited – the context and the ability to draw reliable conclusions about the person’s health are decisive.
The CJEU confirmed that data concerning the purchase of pharmacy-only medicines, whether prescription-based or not, may qualify as health data if such information allows for a reliable inference about the individual’s health condition. The Court further clarified that this classification does not depend on the accuracy of the data or the data controller’s intention. It also stressed that, for processing to be lawful, the explicit consent of the data subject is required – a condition that had not been met in this case – rendering the processing unlawful.
In addition, the CJEU confirmed that the GDPR does not preclude national laws from granting competitors or consumer protection associations the right to bring legal action for GDPR violations in the context of unfair commercial practices. This further strengthens the protection of data subjects’ rights.
Practical Implications: What Does the Ruling Mean for the Pharmaceutical Sector?
This judgment provides clear guidance to pharmaceutical companies, pharmacies, and online medicine sales platforms. They must carefully assess the types of data they collect and process, especially when dealing with sensitive information that could indicate a user’s health status. Obtaining explicit consent becomes an essential requirement for lawful processing, and failure to comply may result in legal sanctions and business restrictions.
Impact on Domestic Practice: Interpreting the Serbian Law on Personal Data Protection in Light of the CJEU Judgment
Although Serbia is not a member of the EU, the Serbian Law on Personal Data Protection (“LPDP”) follows EU standards and sets out similar rules for the protection of health data. The CJEU’s judgment in “Lindenapotheke” is directly relevant to Serbian practice, as it reaffirms the high level of protection afforded to sensitive data and underscores the importance of explicit consent as a legal basis for processing. It also opens the door for broader interpretation and application of domestic laws that enable legal action in response to data protection breaches, thus enhancing legal certainty and citizen protection.
This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.
By Sonja Stojcic, Senior Associate, PR Legal
