This case is a valuable step forward in data privacy. It looks at how GDPR can be enforced not only by data subjects and authorities but also by competitors. It also expands what’s considered “health data” under GDPR, which could impact many businesses.
Below is a simplified summary of the case’s facts, questions, and arguments, along with my own analysis at the end. For easy reference, I’ve included clause numbers.
You can find the full case here.
Facts
25. ND operates a pharmacy called “Lindenapotheke” and, since 2017, has been selling pharmacy-only non-prescription medicinal products on Amazon Marketplace. When customers place orders for these products, they are required to enter details such as their name, delivery address, and information to help identify the ordered products.
26. DR, who also runs a pharmacy, filed a lawsuit in the Landgericht Dessau-Roßlau (Regional Court, Dessau-Roßlau, Germany) seeking an order to stop ND from selling these pharmacy-only products on Amazon. DR claims that, without obtaining customer consent for processing data related to health, ND should not be allowed to sell on Amazon.
27. DR argues that selling pharmacy-only products on Amazon without ensuring customer consent for data processing is unfair because it does not meet the data protection requirements. According to DR, this lack of compliance makes ND’s marketing practices on Amazon unfair.
Questions
(1) Do the rules in Chapter VIII of the GDPR prevent national laws from allowing competitors to bring cases against one another for GDPR breaches before civil courts, based on rules against unfair commercial practices, even if there are already powers for authorities to intervene and options for legal redress for data subjects?
(2) Does the information entered by customers on an online pharmacy platform—such as names, delivery addresses, and product-specific details—count as health data under Article 9(1) of the GDPR and Article 8(1) of Directive 95/46?
Arguments
Question 1
53. Chapter VIII of the GDPR does not expressly rule out the possibility for a competitor to bring a lawsuit against another business based on unfair commercial practices, even if it involves GDPR obligations. Instead, Articles 77(1), 78(1), and 79(1) of the GDPR indicate that rights to lodge a complaint or seek judicial remedy are “without prejudice” to other available remedies.
54. Chapter II of the GDPR includes rules on data processing principles (Article 5) and lawful processing conditions (Article 6), aimed at protecting personal data rights. The absence of any provisions in Chapter VIII for competitors to take action against other companies may be because GDPR is intended to protect data subjects specifically, not their competitors (as noted by the Advocate General in point 80).
55. Although GDPR infringements mainly affect data subjects, they can also impact third parties, including competitors. Article 82(1) GDPR states that “any person” who suffers damage due to a GDPR breach has the right to compensation. The court has previously ruled that data protection violations can relate to consumer protection or unfair competition issues and may hint at abusive dominance in the market (referencing judgment of 28 April 2022, Meta Platforms Ireland, C319/20, and judgment of 4 July 2023, Meta Platforms and Others, C252/21).
56. In the digital economy, personal data access is a key competition factor. Given this importance, GDPR enforcement may need to be considered within the context of competition law and unfair commercial practices to ensure fair market conditions (referring to the Meta Platforms judgment, C252/21).
59. While Chapter VIII does not contain an opening clause for competitor lawsuits, its context and wording suggest that the EU did not intend for GDPR to be a completely exhaustive set of remedies, leaving room for national laws to permit competitors to bring actions based on unfair commercial practices.
61. Recital 10 of the GDPR emphasizes high, consistent protection for individuals, while Recital 11 highlights the need to reinforce rights and obligations for both data subjects and processors, aiming for uniform monitoring and sanctions across the EU. Allowing competitors to bring actions under national unfair commercial practice laws may help ensure these protections.
62. The court notes that allowing competitors to file for injunctions based on unfair commercial practices strengthens GDPR’s effectiveness and enhances data protection rights.
63. A competitor’s application for injunctive relief does not interfere with the GDPR’s system of remedies in Chapter VIII, nor does it challenge the GDPR’s aim to provide a consistent protection level across the EU.
64. While these actions might incidentally use the same GDPR provisions that data subjects could rely on, competitor-driven injunctive relief seeks to ensure fair competition rather than focusing on protecting individual rights and freedoms.
65. Unlike GDPR Articles 77 to 80, a competitor’s application for injunctive relief is intended to ensure fair competition and serves the competitor’s interest rather than directly protecting data subject rights.
66. The remedies provided in GDPR Articles 77 to 79 are still fully available to data subjects, meaning competitor actions for unfair commercial practices are supplementary.
67. The coexistence of remedies under both data protection and competition laws doesn’t endanger GDPR’s uniform application, as GDPR Articles 77 to 80 do not give any priority or precedence among these authorities or courts.
68. Allowing competitors to use GDPR provisions in civil actions doesn’t undermine EU-wide data protection consistency, as GDPR binds all controllers, and national authorities and courts uniformly enforce GDPR compliance.
70. Competitor actions may be highly effective for data protection, as they can prevent widespread GDPR violations affecting data subjects (as in judgment of 28 April 2022, Meta Platforms Ireland, C319/20).
71. Thus, interpreting GDPR to permit competitor actions for unfair practices aligns with GDPR’s objective to protect individuals' fundamental rights to data protection, consistent with Article 16(1) TFEU and Article 8 of the EU Charter of Fundamental Rights.
73. Based on the above, the answer to the first question is that Chapter VIII of the GDPR should be interpreted as not preventing national laws that, in addition to the supervisory authorities’ powers and available remedies for data subjects, allow competitors to take civil action based on the prohibition of unfair commercial practices.
Question 2
76. Article 8(1) of Directive 95/46 and Article 9(1) of the GDPR include “data concerning health” in the special categories of personal data. GDPR Article 4(15) and recital 35 define this broadly to include any data revealing a natural person’s health status, including healthcare information.
77. Article 4(1) of the GDPR states that “personal data” encompasses any information related to an identified or identifiable person. A person can be identified directly or indirectly by factors like a name, ID number, location, or unique characteristics.
78. Data on medicinal product purchases, if it reveals health status of an identifiable individual, qualifies as “data concerning health” under GDPR Article 4(15).
79. In this case, ND’s customers provide details like their name and delivery address when ordering products online, making it “personal data” because it pertains to identifiable individuals.
81. GDPR and Directive 95/46 aim to provide a high level of protection for fundamental rights, especially privacy. Therefore, the court has taken a broad approach to interpreting “data concerning health,” as in prior judgments (judgments of 6 November 2003, Lindqvist, C101/01, and 1 August 2022, Vyriausioji tarnybinės etikos komisija, C184/20).
82. GDPR protections include indirect data that might reveal sensitive information about an individual if the effectiveness of these protections and individual rights could otherwise be compromised (judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C184/20).
83. To be considered “data concerning health,” data only needs to reveal health information through a process of deduction or collation (judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C184/20).
84. Information customers enter when ordering pharmacy-only products on an online platform can reveal health status, linking a product to its therapeutic uses and an identifiable individual’s details, like their name or delivery address.
86. Under Article 9(1) of the GDPR, if personal data processed by a pharmacy operator on an online platform reveals information within protected categories, this processing falls under the GDPR’s health data protections, regardless of whether it involves the user or another person.
87. This protection applies independently of whether the data is accurate or intended to obtain sensitive information, due to the risks to individual freedoms associated with processing special category data (judgment of 4 July 2023, Meta Platforms and Others, C252/21).
88. Consequently, when a customer provides personal data for pharmacy-only product orders that do not require a prescription, this counts as processing health data under GDPR Article 9(1) and Directive 95/46 Article 8(1), as it may reveal health information regardless of who the order is for (judgment of 4 July 2023, Meta Platforms and Others, C252/21).
90. Therefore, even when pharmacy-only products are ordered without a prescription, the customer information provided during these transactions qualifies as health data under GDPR and Directive 95/46, as it could indicate the customer’s or another person’s health status with reasonable probability.
91. It is possible that the pharmacy-only products ordered are intended for someone other than the customer placing the order. For instance, if the delivery address is for a third party or if the customer’s order or any communication about it references another identifiable individual, such as a family member, this information can still reveal health-related information about that third party.
92. According to point 86, classifying this type of information as “data concerning health” under Article 8(1) of Directive 95/46 and Article 9(1) of the GDPR does not prohibit its processing outright. Processing health data may still be permissible in specific contexts, such as managing healthcare services and systems, provided it meets one of the conditions in paragraph 2 of these provisions (for instance, through a legitimate healthcare management need).
93. An example of permissible processing is when a customer gives explicit consent, as specified in Article 9(2)(a) of the GDPR. This consent must be provided in a clear, detailed, and understandable manner, tailored to specific processing purposes. Another allowable case is outlined in Article 9(2)(h) of the GDPR, where processing is necessary for healthcare provision, based on either EU or Member State law or a contract with a healthcare provider.
94. In summary, Article 8(1) of Directive 95/46 and Article 9(1) of the GDPR should be interpreted to mean that when a pharmacy operator sells pharmacy-only products on an online platform, the information provided by customers (such as names, delivery addresses, and product-specific details) qualifies as “data concerning health.” This classification applies even if the product doesn’t require a prescription, as the data can reveal health status information.
So why this case is important?
First, this case is a landmark for competitor-driven enforcement in data protection. Not only data subjects and authorities can initiate a case against a data controller, but its competitors as well. At first glance, this might not seem substantial; however, in practice, many data subjects’ complaints and requests go unresolved, and the majority of individuals simply give up because of the time and financial resources needed to challenge large companies. Authorities, meanwhile, are often overwhelmed, which limits their capacity to respond effectively. But competitors, on the other hand, often have both the resources and motivation to scrutinize and challenge an opponent. This case thus establishes a precedent that could raise awareness and heighten compliance pressures. However, it also introduces an interesting ambiguity about how penalties under anticompetition and data protection laws will apply simultaneously. This raises questions about whether GDPR fines might overlap with competition penalties or if one set of laws will take precedence.
Second, the court takes a broad view of “data concerning health” under GDPR, meaning that even data indirectly revealing health information (such as purchasing pharmacy-only non-prescription drugs) can qualify as health data. This broad interpretation implies that businesses handling health-related products, even non-prescription ones, must handle such customer data with the same protections GDPR mandates for sensitive health information. For pharmacies selling non-prescription drugs online, it becomes challenging to rely on Article 9(2)(h) GDPR to process health data without explicit consent. The sale of non-prescription drugs does not typically qualify as “health or social care” provision under GDPR, meaning these pharmacies likely need to secure explicit consent to process any health-related data associated with such purchases. However, it should be assessed on case-by-case basis and against respective national legislation.
I hope this overview is helpful for your work or studies 🤓
