In a recent case from Germany (C-21/23) one pharmacy was suing another in front of a civil court because they allegedly employed unfair business practices when they sold their prescription-free products on Amazon marketplace, because they supposedly violated the GDPR. Therefore, the CJEU had to take a stance on the question whether the GDPR precludes national legislation which allows the enforcement of the GDPR by competitors as well as the question if even the data processed during the purchase of prescription-free medicinal products online constitutes data concerning health within the meaning of Article 9(1) GDPR.
Regarding the first question, the court considered the objective of the GDPR of harmonisation of the application of the law and the possibility of conflict of competences between data protection authorities and civil courts on the one hand, and the effet utile of union law in order to ensure the highest possible level of protection of personal data, in accordance with recital 10 of the GDPR on the other.
The court ruled that following the wording and the context of the Chapter VIII of the GDPR the regulation did not intend to rule out the availability of remedies to competitors. Furthermore, the possibility of competitors to make use of this remedy exists in addition to the remedies established in Articles 77 to 79 of the GDPR. Also, there is no risk to the uniform interpretation of the law since the preliminary ruling procedure provided in Article 267 TFEU applies to both remedies.
Regarding the second question, the CJEU considered whether the data processed during the purchase of prescription-free medicinal products constitutes data concerning health under Article 9(1) GDPR. The court emphasized that health data must be interpreted broadly to ensure robust protection. Even though the purchase of such products may not always indicate a serious condition, it could reveal health-related information.
The court also addressed the argument that the person ordering the products may not be the actual user, which could result in misleading conclusions about their health. However, the judges ruled that despite this possibility, the potential for such purchases to reveal information about an individual’s health status still brings them within the scope of Article 9(1). In their view, the GDPR’s protections apply broadly to any data that can reasonably be linked to health, regardless of possible inaccuracies.
