Order details provided by a user when placing an order online, such as their name or delivery address, are – unsurprisingly – personal data. Processing this data is generally permitted for the purpose of fulfilling the order pursuant to Article 6 (1) (b) GDPR. So far, so good.
The German Federal Court of Justice (BGH) has now recently ruled that this does not apply if the order relates to medicines (judgments of 27 March 2025 – Ref. I ZR 222/19 and ZR 223/19). In this case, the order data constitutes particularly sensitive health data. This means that order data for medicines is subject to the strict requirements for data processing under Article 9 GDPR. Its processing cannot be justified by the mere performance of a contract. As a result, this means that the user's consent to the processing of their order data must be obtained during the order process.
The decision represents a significant expansion of the concept of health data. However, this had been determined by the European Court of Justice (ECJ). In October 2024, the ECJ ruled that order data for medicinal products must be regarded as health data, as the processing of this data may reveal information about the health of a natural person, regardless of whether this information concerns the user themselves or another person for whom the order is placed (Case C-21/23).
Assessment
Online retailers who sell medicines on the internet in the EU must now ensure (e.g. via a separate checkbox) that the customers expressly consent to the processing of their order data. Violations of the consent requirement constitute a violation of competition law and may result in costly warning letters from competitors or consumer protection associations.
There is also a risk that the consent requirement will not be limited to the ordering of medicines. After all, conclusions about a person's state of health can also be drawn from orders for other products. For example, the order of (medical) cosmetics could lead to the conclusion that a person suffers from a skin disease, the order of an aid from a medical supply store could indicate that a person has a physical disability, or the order of lactose-free products could indicate that a person is lactose intolerant. This means that there is a risk that the consent requirement will also apply beyond the ordering of medicines. Online retailers are therefore advised to obtain separate consent for data processing.
Author:
Magnus Brau, Counsel
Email: Magnus.Brau@rittershaus.net