The Court of Justice of the European Union (CJEU) has recently issued a landmark decision (C-21/23 “Lindenapotheke”) that expands the interpretation of what constitutes health data under the General Data Protection Regulation (GDPR). This ruling has significant implications for businesses, especially those involved in the sale of medicinal products online.
A Wider Scope of Health Data
The CJEU determined that personal data capable of revealing information about an individual’s health status includes not only explicit medical information but also data that can infer health details through deduction or comparison. This means that when a customer purchases a medicinal product, the mere association between the individual and the product’s therapeutic uses is considered health data—even if there’s only a probability, not absolute certainty, that the product is intended for the customer or someone they represent.
The court stated that making distinctions based on the type of medicinal product or prescription requirements contradicts the GDPR’s goal of ensuring a high level of data protection. Therefore, all data linking a person to a medicinal product falls under the stringent protections afforded to health data.
Obligations for Data Controllers
In light of this broad interpretation, sellers and data controllers must:
- Provide Clear Information: Inform customers accurately and comprehensively about the specific characteristics and purposes of processing their data in an easily understandable manner.
- Obtain Explicit Consent: Secure explicit consent from customers before processing any data that could reveal health information.
Ignoring these obligations could result in non-compliance with the GDPR, leading to potential legal consequences and fines.
Implications for Businesses
This ruling emphasizes the need for businesses to reassess their data processing practices. Companies should:
- Review and possibly update their privacy policies to reflect the broader definition of health data.
- Implement stricter consent mechanisms to ensure explicit permission is obtained.
- Enhance data protection measures to safeguard sensitive health information inferred from customer interactions.