Skip to content
Article

The handling of sensitive data in online shops as a consequence of ECJ case law

Data Protection Law Data Compliance

In its judgment of 4 October 2024 (Case C-21/23), the ECJ ruled on the question referred for a preliminary ruling as to whether the personal data of a pharmacist’s customers, which are entered on a sales platform when ordering pharmacy-only but non-prescription medicines (customer name, delivery address and information necessary for the individualisation of the pharmacy-only medicine ordered), are to be classified as health data within the meaning of Art. 4 No. 15 and Art. 9 para. 1 GDPR.

  1. Facts of the ECJ judgement “Lindenapotheke” – sale of pharmacy-only medicinal products via Amazon Marketplace

The facts of the decision are quickly explained. A pharmacist who runs a pharmacy under the business name “Lindenapotheke” has been selling pharmacy-only but non-prescription medicines (so-called OTC medicines) via the online platform “Amazon Marketplace” since 2017 (the judgement therefore also contains statements on the GDPR 95/46/EC). When ordering these medicines online, its customers must enter details such as their name, delivery address and the information required to personalise the medicines. Another pharmacist took legal action against this practice and requested that the competitor be prohibited from selling pharmacy-only medicines via the Amazon Marketplace under threat of administrative sanctions as long as it was not ensured that customers had the opportunity to consent to the processing of health data in advance.

After the legal dispute ended up before the Federal Court of Justice on appeal, the latter also referred the aforementioned question to the ECJ – in addition to the question of the ability to issue warnings for data protection violations by competitors.

  1. Reasoning of the ECJ in the “Lindenapotheke” judgement

In its judgement, the ECJ ruled that the personal data concerned constitutes health data. The central statements of the ECJ (with emphasis):

  • “For personal data to be categorised as data concerning health […], it is sufficient […] that the state of health of the person concerned can be inferred from those data by means of a mental combination or deduction […]. From the data entered by a customer when ordering pharmacy-only medicinal products via an online platform, it is possible to infer the state of health of the data subject […] by means of a mental combination or deduction, since the order establishes a link between a medicinal product, its therapeutic indications and uses and an identified natural person or a natural person identifiable by details such as the name or the delivery address.” (para. 83 and 84)
  • “Accordingly, where a user of an online platform submits personal data when ordering pharmacy-only but non-prescription medicinal products, the processing of those data by the operator of a pharmacy distributing those medicinal products via the online platform must be regarded as processing of health data […] since the processing of those data may reveal information about the state of health of a natural person, regardless of whether that information relates to the user or to another person for whom the order is placed […].” (para. 88)
  • An interpretation […] which would differentiate according to the type of medicinal product concerned and whether its sale requires a medical prescription would not be in line with the […] objective of a high level of protection. Such an interpretation would also run counter to the purpose of […] Article 9(1) GDPR, which is to ensure greater protection against data processing operations which […] may constitute a particularly serious interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter […] due to the particular sensitivity of the data concerned […].” (para. 89)
  • “Consequently, the information entered by the customers of a pharmacy operator when ordering pharmacy-only but non-prescription medicines online constitutes health data […], even if those medicines are intended for those customers only with a certain degree of probability and not with absolute certainty.” (para. 90)

With this judgement, the ECJ continues its case law on the extremely broad interpretation of Art. 9 GDPR and confirms previous rulings. These include, in particular, the judgements of 1 August 2022 (Case C-184/20) and 4 July 2023 (Case C-252/21). In these judgements, the ECJ had already ruled that the processing of personal data that is suitable for indirectly revealing a special personal data pursuant to Art. 9 GDPR (by means of mental combination or derivation) constitutes such processing. Furthermore, the fundamental prohibition provided for in Art. 9 para. 1 GDPR applies regardless of whether the information disclosed by the processing in question is correct or not and regardless of whether the controller is acting with the aim of obtaining information that falls under one of the special categories mentioned in this provision.

In the “Lindenapotheken” judgement, however, the ECJ fails to provide any depth of reasoning when it again merely refers in general terms to the protective purpose of Art. 9 GDPR to achieve a high level of protection (see paragraphs 81, 87 and 89). The extent to which this line of case law is at all suitable for achieving a high level of protection appears questionable. This is because, particularly in everyday and non-sensitive processing situations, this broad interpretation now leads in the majority of cases to a parallelism of data processing on the basis of contract performance or balancing of interests (Art. 6 para. 1 subpara. 1 lit. b and f GDPR) and consent (Art. 9 para. 2 lit. a GDPR). On the one hand, this coexistence of different justification instruments is associated with challenges at the process level during implementation and is likely to be difficult to communicate, especially to data subjects who are not familiar with the law. In the constellation with third parties (e.g. purchase of non-prescription medicines for a child or a partner), this case law can even lead to more personal data being processed, as the purchaser discloses the name of the third party as part of the order and the required consent.

It is also noteworthy that the ECJ only had to decide on the (non-)existence of health data in the context of the second question referred, but then produced the following subheading in the official press release on the judgement, which has no direct reference to the question referred at all:. “The sale of pharmacy-only medicines over the internet requires the customer’s express consent to the processing of their data, even if the medicines in question are non-prescription medicines.” Although the proceedings at first instance and the appeal proceedings in Germany were certainly concerned with the question of justification under Art. 9 GDPR, the core component of the proceedings was the sale of OTC medicines via the Amazon platform, for which Art. 9 para. 2 lit. h GDPR does not apply, it was not part of the question referred by the Federal Court of Justice.

The ECJ did not follow the restrictive approach proposed by Advocate General Szpunar in its decision. The Advocate General suggested that, when examining the existence of health data, both the content of the data in question and all the circumstances of its processing must be considered in order to determine whether information about the data subject’s state of health can be inferred from it with a certain degree of certainty (para. 49). He pointed out that OTC medicinal products are not necessarily purchased at the time of an illness, but rather often in stock, and that they do not necessarily have to be intended for consumption by the purchaser himself.

  1. Conclusions and consequences of the ECJ judgement “Lindenapotheke”

The consequences of this continuation of the ECJ’s case law on the broad interpretation of Art. 9 GDPR go far beyond the facts of this case. It doesn’t take much imagination to come up with countless examples of common items in online shops which, based on the principles of ECJ case law, then constitute processing of special categories of personal data. The most striking examples here (and some already mentioned elsewhere) are the purchase of gluten-free products (inference of a gluten intolerance of the buyer) or glasses (visual impairment) as well as the ordering of a book on a political school of thought or a biography of a politician.

It remains to be seen how the effects of this case law will be absorbed, particularly in online retail. The parallelism between contract performance (purchase contract) and consent (special categories of personal data) that is now often required under ECJ case law is rather impractical, challenging to implement and generally incomprehensible for data subjects due to the fact that consent can be revoked at any time. The scope of application of other justification instruments from Art. 9 para. 2 GDPR is narrow, but in any case must be examined on a case-by-case basis. Additional challenges for lawful processing arise in the case of mixed data sets, imposed special categories of personal data (e.g. via free text fields) and special categories of personal data from third parties.

Do you sell products via your online shop that allow sensitive information to be derived directly or at least indirectly? We at HÄRTING Rechtsanwälte will be happy to support you in analysing and evaluating your online shop and in developing and designing data protection-compliant processes. The decision and its implications will also be the subject of a webinar in our bevh webinar series in the first half of 2025 (on 20 February 2025).