Berlin | Düsseldorf | Frankfurt  | Hamburg | Cologne | Munich | Stuttgart
MTR Legal Rechtsanwälte Logo
Contact

Berlin | Düsseldorf | Frankfurt  | Hamburg | Cologne | Munich | Stuttgart | Paris | London | Amsterdam

Header-Anwalt-Rechtsanwalt-Kanzlei-MTR Legal Rechtsanwälte
Contact
Berlin | Düsseldorf | Frankfurt  | Hamburg | Cologne | Munich | Stuttgart
Contact

Online pharmacy requests date of birth for orders – data protection issues

  • Lesezeit: 3 Min

News  >  Intern  >  Online pharmacy requests date of birth for orders – data protection issues

Arbeitsrecht-Anwalt-Rechtsanwalt-Kanzlei-MTR Legal Rechtsanwälte
Steuerrecht-Anwalt-Rechtsanwalt-Kanzlei-MTR Legal Rechtsanwälte
Home-Anwalt-Rechtsanwalt-Kanzlei-MTR Legal Rechtsanwälte
Arbeitsrecht-Anwalt-Rechtsanwalt-Kanzlei-MTR Legal Rechtsanwälte

Data Protection Requirements in the Online Sale of Medicines – Analysis of a Recent Ruling

The Higher Administrative Court of Lüneburg made a decision on March 1, 2024, in the case 14 LA 124/23 with far-reaching consequences for operators of online pharmacies and similar online shops. At the center of the legal dispute was the mandatory query of the date of birth during the ordering process for medicines that can be obtained without a prescription. The significance of this judgment illustrates key principles of data protection law and emphasizes the requirements for data minimization according to the General Data Protection Regulation (GDPR).

Context and Initial Situation

Like many online providers, a significant number of pharmacies on the internet require the provision of the date of birth during registration or ordering. This is often done with the argument of security, age verification, or to process the order. In the present case, the order was also linked to the mandatory entry of the date of birth for such medicines that are not prescription-required.

A consumer turned to data protection supervision with the complaint that he saw this practice as a violation of the GDPR. The data protection authority then sided with the orderer’s view and, referring to the principle of data minimization, demanded that the online pharmacy change its procedure. The question to clarify was specifically whether and to what extent the date of birth is necessary for the sale of pharmacy-only but non-prescription medicines.

Reasons for the Decision of the HVC Lüneburg

Data Minimization as a Central Element of the GDPR

The core of the judgment is the appreciation of the so-called principle of necessity, which derives from Art. 5 para. 1 lit. c GDPR. The processing of personal data is therefore only permissible if it is necessary to achieve the pursued purpose. The Higher Administrative Court clarified that for the distribution of pharmacy-only, non-prescription medicines, the obligation to provide the date of birth is not fundamentally given. Age verification, if necessary to comply with youth protection regulations, can also be carried out by less invasive means, such as simple age indication in the form of checkboxes (“I am at least 18 years old”).

Purpose Limitation and Proportionality

The court also examined whether collecting the date of birth could be essential for contractual processing or statutory documentation obligations in individual cases. It explicitly denied this question for “Pharmacy-only but non-prescription” products. Collecting the date of birth in these cases is no longer covered by the purpose of the order and represents a disproportionate interference with the protection of personal data.

Limits of Consent and Implications for Practice

Lastly, the role of possible consent from customers was examined. The HVC Lüneburg determined that even explicit consent does not justify specifying the date of birth if it is made a mandatory requirement for ordering. The user’s freedom of choice is effectively nullified, and a deliberate waiver of data protection cannot be derived from it.

Significance for the Online Pharmaceutical Trade and Business Practice

The judgment illustrates the need for careful consideration in processing personal data in e-commerce, especially in the highly sensitive area of healthcare. Operators of online pharmacies are urged to regularly review and, if necessary, adjust both the scope and purpose limitation of data queries. The decision also has a signaling effect beyond the specific case constellation, for example, for other digital service providers who also collect sensitive data.

Overview of Legal Implications

  • Collecting the date of birth is only permissible for orders of pharmacy-only, non-prescription medicines if there is a clear and legally prescribed necessity for it.

  • As a milder means of age verification, obtaining a self-declaration related to age is recommended.

  • Violations of the requirement for data minimization under GDPR can be prevented by data protection supervision. In case of non-compliance, regulatory orders and, in individual cases, severe sanctions may be imposed.

Outlook on Further Proceedings

It should be noted that further instances and future court decisions may introduce differentiations and shed light on new aspects. The present decision is based on the specific circumstances of the individual case and does not claim conclusiveness for all business models or product categories. Observing the development of case law and any legislative changes is advised.

Source Note

The decision of the HVC Lüneburg of March 1, 2024, Case No. 14 LA 124/23, is published on urteile.news and forms the basis of this article.

Subtle Hint

For legal questions related to data protection requirements in online trade, especially concerning the query and processing of sensitive personal data, you may contact the lawyers of MTR Legal. The law firm supports companies, investors, and wealthy individuals with complex legal challenges on a national and international level.