European Court of Justice: Competitors can sue over data protection violations

In its ruling of 4 October 2024, the European Court of Justice (“ECJ”) determined that the General Data Protection Regulation (“GDPR”) does not prohibit national legislation from allowing competitors to legitimately challenge purported data privacy infringements as unfair competition practices in civil courts. Thus, the Court emphasised that this legal remedy is accessible to competitors alongside the intervention authority of regulatory bodies tasked with GDPR enforcement and the remedies available to data subjects under the GDPR.

The ECJ maintained that the GDPR does neither seek to completely harmonise legal remedies for violations, nor does it exclude competitors from initiating actions under national laws regarding unfair competition practices. According to the Court, an injunction by a competitor primarily aims to promote equitable competition, while also facilitating adherence to GDPR regulations, thereby enhancing the rights and protection of impacted persons. The ECJ asserts that such injunctions, similar to those submitted by consumer protection organisations, might successfully avert GDPR violations.

The ruling was predicated on a situation in which the defendant’s business, located in Germany, sold over-the-counter (“OTC”) medicinal products online. Customers were required to provide certain information during the ordering process, including their name, delivery address, and data on the pertinent OTC product. The claimant, a competitor, used German legislation on unfair competition practices, requesting the German courts to prohibit the competing pharmacy’s activities unless there is guarantee of previous consumer agreement for the processing of their health-related data. The German Federal Court of Justice (Bundesgerichtshof) was designated as the last authority to decide on the case and requested clarification from the ECJ about the interpretation of the GDPR.

In light of this circumstance, the ECJ determined that the information provided by pharmacy clients when obtaining OTC medicinal products online qualifies as health data under the GDPR. According to the ECJ, this data can reveal information about the health status of an identified or identifiable person because a connection exists between the person placing the order and a medicinal product and its use cases. The Court maintained that this is applicable even without a prescription and acknowledged that the consumer may order on behalf of another individual.

These are the upcoming dates for our Annual General Meetings:

Thursday, 21 March 2024
Thursday, 20 March 2025