In a landmark ruling on October 4, 2024, the European Court of Justice opened the door wide to unfair competition proceedings for data protection violations in Germany.
Data protection violations can be pursued via the UWG
In the ruling, the ECJ answered the long-disputed question of whether infringements of the General Data Protection Regulation (“GDPR”) can also be pursued by competitors based on the German Act against Unfair Competition (“UWG”) in the affirmative (CURIA - Documents (europa.eu)).
For businesses, this means that in the event of gaps / short comings regarding data protection compliance, there is a further risk being attacked by competitors. In addition to data protection supervisory authorities, consumer associations and data subjects, competitors will in future be another potential claimant regarding any breaches of the GDPR. In this respect, the UWG serves as a lever for asserting such claims. Nevertheless, there is no reason to fear that masses of warning notices will be heading towards SMEs. Section 13 (4) of the UWG provides that a claim for reimbursement of warning costs cannot be asserted regarding data protection violations, at least if the company being targeted has fewer than 250 employees.
We had dealt with the background and the facts of this case in a previous article (Are competitors allowed to sue in the event of data protection violations? www.skwschwarz.de/en)
Companies should take the ECJ's decision as an occasion to thoroughly re-examine their products and services, both from a data protection law perspective and from the perspective of unfairness under the UWG.
Broad interpretation of the term “date of health”
In addition to the described topic of the relationship between the GDPR and the UWG, the ECJ also commented on another issue that is very relevant in practice from a data protection perspective, namely the interpretation of the definition of health data (Article 4 No. 15 GDPR).
According to the ECJ, this should generally be interpreted expansively due to the high level of protection required for health data. In this specific case, the ECJ qualified the data entered by customers when ordering a pharmacy-only medicine online (such as name, delivery address and information necessary for the individualization of the medicine) as health data within the meaning of the GDPR. This also applies if the medicines in question may only be sold in pharmacies, but are available without a prescription. It is sufficient that the health status of an identified or identifiable natural person can be inferred from this data by intellectual combination or derivation. Whether this person is the purchaser or an - unknown - third party for whom the order is placed, is irrelevant, as the personal reference is already initially established. Whether this personal reference is correct is not a question that arises in the context of the prohibition of Article 9 GDPR, but a question of data accuracy.
Because the processing of health data is subject to the fundamentally strict regulatory regime of Article 9 GDPR, companies in the healthcare sector should critically question whether they have so far based certain data processing activities on one of the conditions of Article 6 (1) GDPR and whether this assessment is still sufficiently legally certain for their business model against the background of the ECJ's considerations.
'/%3e%3c/svg%3e){kind=small}
'/%3e%3c/svg%3e){kind=small}
