EU Court of Justice: Member States may make provision for competitors of the person allegedly responsible for an infringement of the laws protecting personal data to challenge that infringement in court as a prohibited unfair commercial practice.

The German Federal Court of Justice is to resolve a dispute between two German pharmacists. The pharmacist who owns the ‘Lindenapotheke’ pharmacy has been marketing pharmacy-only medicinal products on Amazon since 2017. Customers must enter certain information when ordering these medicinal products online.   
On the basis of the German legislation on unfair commercial practices, a competing pharmacist applied to the German courts for an order that the owner of Lindenapotheke cease that activity so long as there is no guarantee that customers will be able to give their prior consent to the processing of data concerning health. The courts at first and second instance held that that marketing activity amounted in fact to an unfair and unlawful practice, since it is contrary to the Regulation on the protection of personal data (GDPR). In the absence of explicit consent from the customers purchasing those medicinal products, the sale entails processing of data concerning health that is prohibited under that regulation. 

The German Federal Court of Justice wonders whether the national legislation, which allows a competitor to bring legal proceedings against the person allegedly responsible for infringements of the GDPR on the basis of the prohibition of unfair commercial practices, is consistent with that regulation. Indeed, according to the GDPR, it is in principle for the national supervisory authorities to monitor and enforce that regulation and for the data subjects (in this case, the customers) to defend their rights.

The German court also wishes to know whether the information entered when pharmacy-only medicinal products are purchased online constitutes data concerning health within the meaning of the GDPR, even where those medicinal products do not require a prescription. It therefore turned to the Court of Justice.

The Court replies, in the first place, that the GDPR does not preclude national legislation which, alongside the  rights and powers conferred by the GDPR on the national supervisory authorities, on data subjects and on  associations representing those persons, allows competitors of the person allegedly responsible for an  infringement of the laws protecting personal data to bring legal proceedings against that person, for  infringements of that regulation, on the basis of the prohibition of unfair commercial practices. On the  contrary, this undoubtedly contributes to strengthening the rights of data subjects and ensuring that they  enjoy a high level of protection. Moreover, this may be particularly effective, in so far as a large number of GDPR  infringements could thus be prevented.  

In the second place, the Court finds that information entered by customers (such as their name, the delivery  address and the information required for individualising the medicinal products) when ordering pharmacy-only  medicinal products online constitutes data concerning health within the meaning of the GDPR, even where  the sale of those medicinal products does not require a prescription.  Those data are capable of revealing information about the health status of an identified or identifiable data  subject by means of an intellectual operation involving comparison or deduction because a link is established  between that person and a medicinal product, its therapeutic indications or its uses, irrespective of whether that  information concerns the customer or any other person for whom the customer places the order.

Accordingly, in  the absence of a prescription, it is immaterial whether it is only with a certain degree of probability and not with  absolute certainty that those medicinal products are intended for the customers who ordered them. To make a  distinction according to the type of medicinal product and to whether or not the sale of those medicinal  products requires a prescription would be contrary to the GDPR’s objective of ensuring a high level of  protection. Consequently, the seller must inform those customers in an accurate, comprehensive and easily  understandable manner of the specific characteristics and purposes of the processing of those data and request  their explicit consent to that processing.