GDPR AND HEALTH: POSSIBILITY GRANTED TO COMPETITORS OF THE ALLEGED PERSONAL DATA PROTECTION INFRINGEMENT TO CHALLENGE IT IN COURT AS A PROHIBITED UNFAIR COMMERCIAL PRACTICE
The Court of Justice of the European Union has ruled that European Regulation 2016/679 (known as the GDPR Regulation) does not preclude national legislation allowing competitors of the alleged perpetrator of a personal data protection infringement to take action against the latter by way of an action before the civil courts, due to violations of said Regulation and by virtue of the prohibition of unfair commercial practices.
In this case, the dispute was between two pharmacists. The pharmacist who owned the Lindenapotheke pharmacy marketed medicines on an online e-commerce platform that were reserved for pharmacies. Customers had to enter various information (name, address, etc.) when ordering these medicines online.
A competing pharmacist decided to bring an action before the German courts against the owner of Lindenapotheke to cease this activity on the grounds that there was no guarantee that customers would have the possibility of giving their prior consent to the processing of personal data regarding their health.
The German courts at first instance and on appeal considered that the online marketing of the owner of Lindenapotheke did indeed constitute an unfair and unlawful practice, as it violated Articles 6 (on the lawfulness of processing) and Article 9 (on the processing of personal data relating to health) of European Regulation 2016/679 on the protection of personal data (GDPR).
The owner of Lindenapotheke has filed an appeal for review with the German Federal Court of Justice.
In view of the differences in interpretation in German law regarding the possibility of direct recourse by competitors on the basis of a violation of the GDPR and in a desire for harmonisation, the German Federal Court of Justice has decided to stay the proceedings and to refer the following question to the Court of Justice of the EU for a preliminary ruling: Is national legislation of an EU Member State providing for the possibility for a competitor to take legal action against the alleged perpetrator of violations of the GDPR on the basis of the prohibition of unfair commercial practices consistent with the provisions of the European GDPR Regulation?
The Court of Justice of the EU answered in the affirmative by stating that the GDPR does not preclude national legislation that allows competitors to bring an action against the alleged perpetrator of a breach of the protection of personal data for violation of the GDPR based on the prohibition of unfair commercial practices, despite the existing prerogatives of intervention of the supervisory authorities responsible for monitoring and enforcing the GDPR (see Article 58 (powers) of the GDPR) and the rights of the persons concerned by the breach to defend their rights (complaint, right of rectification and right to be forgotten).
In addition, the Court of Justice of the EU specifies that the information provided to customers in the present case does indeed constitute health data within the meaning of the GDPR since it involves mentioning their name, delivery address and the elements necessary for the individualisation of medicines when ordering medicines reserved for pharmacies online, even when the sale of the latter is not subject to a medical prescription
