Provisional text
OPINION OF ADVOCATE GENERAL
SZPUNAR
delivered on 25 April 2024 (1)
Case C‑21/23
ND
v
DR
(request for a preliminary ruling from the Bundesgerichtshof (Federal Court of Justice, Germany))
(Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Remedies – Delimitation of remedies – Processing of special categories of personal data – Concept of ‘data concerning health’)
I. Introduction
1. The present case concerns the interpretation of a number of provisions of Regulation (EU) 2016/679 (2) (‘the GDPR’) in relation to, first, the system of remedies established by that regulation and, second, the category of particularly sensitive data consisting of ‘data concerning health’.
2. The request for a preliminary ruling was made in the context of an action for an injunction, based on the prohibition, in national law, of acts of unfair competition, and brought by an undertaking with a view to putting an end to the online marketing of non-prescription medicines by one of its competitors. The alleged act of unfair competition consists, according to that undertaking, of failure to comply with the requirements arising from the GDPR with regard to the processing of ‘data concerning health’.
3. I shall begin my analysis by examining the second question referred for a preliminary ruling, which will enable the Court to define the outlines of the concept of ‘data concerning health’ that determine whether an enhanced protection regime is applicable.
4. In the event that the data at issue in the present case could not be classified as ‘data concerning health’, within the meaning of Article 9(1) of the GDPR, it would follow that the alleged act of unfair competition would not be made out. There would then be no need to answer the first question, which concerns whether the system of remedies established by the GDPR permits the existence, in national law, of an action based on an infringement of the rules relating to the prohibition of acts of unfair competition whereby the applicant relies on an infringement of the substantive provisions of the GDPR.
II. Legal framework
A. European Union law
1. Directive 95/46/EC
5. Directive 95/46/EC (3) provides, in Article 8(1):
‘Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.’
2. The GDPR
6. Recitals 9, 10, 13, 35, 51 and 142 of the GDPR are worded as follows:
‘(9) The objectives and principles of [Directive 95/46] remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. Such a difference in levels of protection is due to the existence of differences in the implementation and application of [Directive 95/46].
(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. …
…
(13) In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. …
…
(35) Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in [Directive 2011/24/EU (4)] to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.
…
(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. … Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
…
(142) Where a data subject considers that his or her rights under this Regulation are infringed, he or she should have the right to mandate a not-for-profit body, organisation or association which is constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest and is active in the field of the protection of personal data to lodge a complaint on his or her behalf with a supervisory authority, exercise the right to a judicial remedy on behalf of data subjects or, if provided for in Member State law, exercise the right to receive compensation on behalf of data subjects. A Member State may provide for such a body, organisation or association to have the right to lodge a complaint in that Member State, independently of a data subject’s mandate, and the right to an effective judicial remedy where it has reasons to consider that the rights of a data subject have been infringed as a result of the processing of personal data which infringes this Regulation. That body, organisation or association may not be allowed to claim compensation on a data subject’s behalf independently of the data subject’s mandate.’
7. Article 1 of that regulation, entitled ‘[Subject matter] and objectives’, provides:
‘1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.’
8. Article 4 of that regulation provides:
‘For the purposes of this Regulation:
(1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
…
(15) “data concerning health” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
…’
9. In the words of Article 9 of that regulation, entitled ‘Processing of special categories of personal data’:
‘1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies:
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
…
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
…’
10. Articles 77 to 84 appear in Chapter VIII of the GDPR, entitled ‘Remedies, liability and penalties’.
11. Article 77 of that regulation, entitled ‘Right to lodge a complaint with a supervisory authority’, provides in paragraph 1:
‘Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.’
12. Article 78 of that regulation, entitled ‘Right to an effective judicial remedy against a supervisory authority’, states in paragraph 1:
‘Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.’
13. Article 79 of that regulation, entitled ‘Right to an effective judicial remedy against a controller or processor’, provides in paragraph 1:
‘Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.’
14. Article 80 of the GDPR, entitled ‘Representation of data subjects’, states:
‘1. The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law.
2. Member States may provide that any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to Article 77 and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.’
15. Article 82 of that regulation, entitled ‘Right to compensation and liability’, provides in paragraph 1:
‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.’
16. Article 84 of that regulation, entitled ‘Penalties’, states in paragraph 1:
‘Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.’
B. German law
1. The Law against unfair competition
17. Paragraph 3 of the Gesetz gegen den unlauteren Wettbewerb (Law against unfair competition) of 3 July 2004, (5) in the version applicable to the dispute in the main proceedings (‘the Law against unfair competition’), entitled ‘Prohibition of unfair commercial practices’, provides, in subparagraph 1, that ‘unfair commercial practices are illegal’.
18. Paragraph 3a of that law, entitled ‘Infringement of the law’, is worded as follows:
‘Anyone who infringes a statutory provision intended, inter alia, to regulate market conduct in the interest of market players commits an unfair act where that infringement is capable of having an appreciable effect on consumers, other market players or competitors.’
19. Paragraph 8 of that law, entitled ‘Elimination and omission’, states:
‘(1) Any commercial practice which is illegal under Paragraph 3 or Paragraph 7 may give rise to an injunction and, where there is a risk of recurrence, an injunction or a prohibition. …
…
(3) The orders referred to in subparagraph 1 may be requested by:
1. any competitor who markets or requests goods or services in a non-negligible and non-occasional manner,
…’
2. The Law on medicines
20. The movement of medicines is governed by the Arzneimittelgesetz (Law on medicines) of 24 August 1976, in the version published on 12 December 2005, (6) as most recently amended by Paragraph 8c of the Law of 20 December 2022. (7) That law distinguishes between medicines sold in pharmacies, referred to in Paragraphs 43 (entitled ‘Pharmacy-only requirement’) to 47, and those sold on prescription, referred to in Paragraph 48, entitled ‘Prescription requirement’.
III. Facts in the main proceedings, procedure and the questions referred for a preliminary ruling
21. ND and DR both operate pharmacies. The appellant in the main proceedings, ND, also holds a mail-order licence and also sells his products, including pharmacy-only medicines, via Amazon Marketplace (‘Amazon’), an e-business platform whereby sellers may offer goods for sale directly to consumers.
22. The respondent in the main proceedings, DR, brought an action for an injunction to prevent ND from marketing pharmacy-only medicines on the Amazon online sales platform. According to DR, such marketing constitutes an unfair commercial act in so far as it has the consequence that ND infringes a legal provision, within the meaning of Paragraph 3a of the Law against unfair competition, namely, inter alia, Article 9 of the GDPR, which requires that the customer’s prior explicit consent be obtained for the processing of his or her data concerning health.
23. The Landgericht Dessau-Roßlau (Regional Court, Dessau-Roßlau, Germany) upheld that action. The Oberlandesgericht Naumburg (Higher Regional Court, Naumburg, Germany) subsequently dismissed ND’s appeal, holding that the marketing by ND on Amazon of pharmacy-only medicines is contrary to the national law against unfair competition. According to that court, such marketing constitutes the processing of data concerning health, within the meaning of Article 9(1) of the GDPR, to which the customers have not explicitly consented. The provisions of the GDPR should be regarded as rules of market conduct within the meaning of national competition law, so that, in its capacity as a competitor, DR would be entitled to apply for an injunction based on national competition law in reliance on an infringement by ND of the provisions of that regulation.
24. ND lodged an appeal on a point of law before the referring court, the Bundesgerichtshof (Federal Court of Justice, Germany), whereby he maintains his claim that the action for an injunction should be dismissed.
25. According to the referring court, the outcome of the appeal on a point of law depends on the interpretation of both Chapter VIII of the GDPR and Article 9 of that regulation, and also Article 8(1) of Directive 95/46.
26. The referring court states that it must be determined whether the applicant in the main proceedings, in its capacity as a competitor, has standing to bring an action against the infringer before the civil courts in respect of the infringements of the GDPR, on the basis of the prohibition of unfair commercial practices. It observes that the dispute raises a controversial question to which the answer may be that the rules laid down in the GDPR on the application of its provisions are exhaustive, so that competitors’ standing to bring proceedings under competition law is excluded. Nevertheless, it may also be argued that the provisions of the GDPR on control of the application of the law are not exhaustive and that competitors therefore have the requisite standing to bring an action for an injunction in reliance on the infringement of the GDPR.
27. Furthermore, the referring court maintains that it must be determined whether the data which customers are required to enter when ordering pharmacy-only but non-prescription medicines online constitute data concerning health, within the meaning of Article 9(1) of the GDPR and previously of Article 8(1) of Directive 95/46, in so far as the right to an injunction exists only if ND’s conduct was unlawful both at the time it took place and at the time of the hearing in the appeal on a point of law.
28. It was in that context that the Bundesgerichtshof (Federal Court of Justice) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Do the rules in Chapter VIII of [the GDPR] preclude national rules which – alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the regulation and the options for legal redress for data subjects – empower competitors to bring proceedings for infringements of [that regulation] against the infringer before the civil courts on the basis of the prohibition of unfair commercial practices?
(2) Do the data that the customers of a pharmacist who acts as a seller on an online sales platform enter when ordering pharmacy-only but not prescription-only medicines on the sales platform (data such as the customer’s name, delivery address and information required for individualising the pharmacy-only medicine ordered) constitute data concerning health within the meaning of Article 9(1) [of the GDPR] and of Article 8(1) of [Directive 95/46]?’
29. The present request for a preliminary ruling was received at the Court on 19 January 2023. The parties to the main proceedings, the German Government and the European Commission submitted written observations. Those parties were represented at the hearing on 9 January 2024.
IV. Analysis
30. In the present case, DR claims that ND infringed Article 9 of the GDPR by processing the data of customers who ordered non-prescription medicines online, without meeting the requirement to obtain the customers’ explicit consent to process those data.
31. By its first question the referring court asks, in essence, whether the provisions of Chapter VIII of the GDPR must be interpreted as meaning that they preclude national rules which afford undertakings the right to rely, on the basis of the prohibition of acts of unfair competition, on infringements of the substantive provisions of the GDPR allegedly committed by their competitors. In the second question, the referring court asks the Court whether Article 9 of the GDPR must be interpreted as meaning that the data in question constitute data concerning health and therefore come within the special categories of data referred to in that provision. (8)
32. I would observe at the outset that, as I have already stated, if the answer to the second question were to be in the negative, there would be no need to answer the first question, since the Court’s answer would be sufficient for the referring court to give judgment in the case before it. In those circumstances, I consider it appropriate to begin my analysis of the questions referred for a preliminary ruling with the second question.
A. The second question
33. By its second question, the referring court asks, in essence, whether the data of customers of a pharmacist which are transmitted when pharmacy-only but non-prescription medicines are ordered on an online sales platform constitute ‘data concerning health’ within the meaning of Article 9(1) of the GDPR.
34. I must make clear at the outset that the concept of ‘data concerning health’ in Article 9(1) of the GDPR is defined in Article 4(15) of that regulation. The answer to the second question therefore assumes a joint interpretation of those two provisions.
1. The interpretation of the concept of ‘data concerning health’ in the light of existing case-law
35. In the words of Article 4(15) of the GDPR, ‘data concerning health’ are personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
36. That definition is also supported by recital 35 of the GDPR. The Court has pointed out in its case law that ‘[that recital] states that personal data concerning health should include all data pertaining to the health status of a data subject which “reveal” information relating to the past, current or future physical or mental health status of the data subject’. (9)
37. It therefore follows from the wording of Article 4(15) of the GDPR, clarified by recital 35 of that regulation, that the determining factor for establishing whether certain personal data are data concerning health is that it is possible, on the basis of the data in question, to draw inferences about the health status of the data subject. In other words, ‘data concerning health’ are not limited to medical data or data directly related to health problems, but also include any data from which inferences may be drawn about the health status of the data subject, whether they relate to a pathological or a physiological status.
38. That is confirmed in the light of the objective pursued in Article 9 of the GDPR. The Court has thus made clear in its case-law that the purpose of that provision is to ensure enhanced protection as regards processing which, because of the particular sensitivity of the data processed, is liable to constitute, as follows from recital 51 of the GDPR, a particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, guaranteed by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. (10)
39. The particular sensitivity of data concerning health is explained by the fact that they relate to information falling within the most private sphere of persons and may expose their vulnerabilities. That particular sensitivity and, consequently, their particular need for protection are moreover recognised not only in EU law but also in the case-law of the European Court of Human Rights, which emphasises that ‘respecting the confidentiality of health data is a vital principle in the legal systems of all the Contracting Parties to the [European Convention for the Protection of Human Rights and Fundamental Freedoms, signed at Rome on 4 November 1950]’. (11)
40. It is therefore important, in the light of that objective, according to the case-law of the Court of Justice, to give a wide interpretation to the concept of ‘particular categories of personal data’ of which data concerning health form part, so that they refer not only to data which are inherently sensitive but also to data which reveal information of that nature indirectly, following an intellectual operation involving deduction or cross-referencing. (12)
41. In that regard, I would observe that the European Data Protection Board established in Article 68 et seq. of the GDPR also adopts such an approach to the concept of ‘data concerning health’, pointing out that it is not only the intrinsic nature of the information that determines its classification as ‘data concerning health’, but also the circumstances of its collection and processing, and in that respect gives various examples. According to that Board, information in a medical file, information that reveals the state of health by cross-referencing with other data, or information that becomes health data because of its usage in a specific context, such as information regarding a recent trip, and processed by a medical professional to make a diagnosis, constitute ‘data concerning health’. (13) On the other hand, data gathered by an application that measures the number of steps taken by the data subject, where that application cannot link those data with other data relating to the data subject and in so far as the data gathered are not processed in a medical context, do not constitute ‘data concerning health’. (14)
42. It therefore follows clearly from Article 4(15) and Article 9 of the GDPR, as interpreted in the case-law, that data which are liable to permit conclusions to be drawn about the health status of the data subject must be considered to be ‘data concerning health’ within the meaning of those provisions.
43. I would therefore observe that, at first sight, it cannot be denied that the placing of an order for non-prescription medicines online assumes the processing of data from which certain information concerning health or, at least, certain indicia concerning health may be inferred, in so far as that order entails a link between the purchase of a medicine, a product relating to health par excellence and the identity of the purchaser. To my mind, however, and for the reasons which I shall set out, it is apparent from the information communicated to the Court by the referring court that that link is too tenuous and that the indicia that may be inferred from it are too imprecise or hypothetical for the data in question to be capable of being classified as ‘data concerning health’ within the meaning of Article 4(15) and Article 9 of the GDPR.
2. The requirement of a certain degree of certainty as to the conclusions that may be drawn concerning the health status of a data subject
44. I must make a few points about that interpretation of the concept of ‘data concerning health’ in particular and of the concept of ‘particular category of data’ in general.
45. First, it seems to me that, on the basis of those elements of interpretation, a product ordered online may be considered to be capable of revealing some general information about a person’s health status but also, as is apparent from Article 9 of the GDPR, about his or her racial or ethnic origin, political opinions, religious or philosophical beliefs, or even sexual orientation. In my view, certain information relating to those different factors with regard to the data subject may be inferred from the goods ordered online.
46. A number of examples allow me to substantiate that remark. Ordering a book by a political personality may potentially indicate endorsement of the latter’s ideas, ordering a garment may be a sign of a person’s religious beliefs, or ordering erotic material may indicate a person’s sexual orientation. Unless the bulk of the processing of data relating to online commerce is to be subjected to the regime provided for in Article 9(2) of the GDPR, it therefore seems necessary to me to further refine the interpretation of the concept of ‘data concerning health’ as meaning that the conclusions that may be drawn from the data relating to an order must not be merely potential. In other words, in my view, the information revealed by the data in question as regards the health status of the data subject cannot be mere supposition, but must present a certain degree of certainty.
47. Second, I am of the view that, apart from cases where the data are inherently ‘data concerning health’, whether data may be classified as data concerning health depends on the circumstances of each case. More specifically, the conclusions that may be drawn from those data seem to me to depend on the context in which the data are gathered and the processing which they undergo. As the European Data Protection Board set up pursuant to Article 68 et seq. of the GDPR points out, data which at first sight are unconnected with the medical sphere, such as information relating to a trip, may nonetheless be regarded as ‘data concerning health’ when they are analysed in a medical context and combined with other information, in order to establish, in the example given, potential contamination by a bacterium or a virus present in a specific region.
48. In particular, I would emphasise that the identity of the data controller is a particularly relevant factor in that respect. When the data are processed by a body from the health sector, it seems to me that that may indicate that those data are in fact ‘data concerning health’. On the other hand, those data may be classified differently because they are not processed by an establishment from the health sector and cannot be linked with other data of the data subject. In other words, the same piece of data may reveal more information about a person’s health status where it is processed by an institution in the health sector which is competent to interpret those data, or has other data concerning the data subject, than where it is processed by a body outside that sector.
49. In those circumstances, I am of the view that it is for the referring court to examine both the substance of the data at issue and all the circumstances in which those data are processed, in order to determine whether information relating to the health status of the data subject may be inferred with a certain degree of certainty.
50. In the light of the information in the referring court’s decision, however, it seems to me to be possible to give clarifications to guide it in giving judgment in the main proceedings. (15)
3. The relevant elements for the referring court’s examination of the possibility of inferring information about the health status of a data subject
51. In the first place, as regards the products ordered, I emphasise that the medicines in question, namely non-prescription medicines, are not as a rule intended for the treatment of a particular state, but may be used more generally to treat everyday diseases that may be encountered by anyone and are not symptomatic of a specific pathology or health status. Furthermore, those medicines are also frequently bought as a preventive measure so that they are available when required, or before leaving the habitual residence, for example. By way of illustration, an order for paracetamol does not allow any inference to be drawn as to the precise state of a person, as that molecule is indicated for the treatment of a variety of pains and fevers and is often among the medicines which people have at home, quite apart from any particular need.
52. In the second place, as ND observes, the fact that a person orders a non-prescription medicine online does not necessarily mean that it is that person, whose data are processed, and not another person from his or her household or circle, who will use that medicine. It is often the case that an order on an online sales site is placed by a person who has an account on that site on behalf of a person without an account. In the absence of a prescription designating by name the person for whom the medicine is intended and on the basis of which it may be presumed that the person using the medicine and the purchaser are the same person, it cannot be inferred from an order for a product freely available online that that product is intended to be used by, and only by, the purchaser. It follows that no conclusion about the health status of the person whose data are processed can reasonably be drawn from those data, in such a way that they might be classified as ‘data concerning health’.
53. That applies a fortiori because, in the third place, and subject to verifications which it is for the referring court to carry out, a person may place an order via the internet without being required to provide precise data about his or her identity, in particular where the product is delivered not to the data subject’s address but via a collection point, and where no other information is required for billing purposes.
54. I am therefore of the view that the answer to the second question should be that the data of the customers of a pharmacist which are transmitted when an order is placed on an online sales platform for pharmacy-only but non-prescription medicines do not constitute ‘data concerning health’ within the meaning of Article 4(15) and Article 9 of the GDPR, in so far as only hypothetical or imprecise conclusions as to the health status of the person placing the online order may be drawn, which it is for the referring court to verify.
55. For the remainder, I must further clarify that, to my mind, to interpret the concept of ‘data concerning health’ as including the data transmitted when an order is placed on an online sales platform for pharmacy-only but non-prescription medicines is liable, paradoxically, to reveal more sensitive information owing to the system of enhanced protection provided for in Article 9(2) of the GDPR. In fact, the request for explicit consent for the processing of data already identified as sensitive might ultimately encourage the purchaser to reveal the identity of the end user of the product. In that situation, more certain conclusions about the health status of that person might be drawn.
B. The first question
56. In the light of the answer which I propose should be given to the second question, there is no need, in my view, to answer the first question. In the interest of completeness, however, and having regard to the assessment which the referring court will be required to carry out, I shall analyse that question, whereby the referring court asks, in essence, whether the provisions of Chapter VIII of the GDPR must be interpreted as meaning that they preclude national rules which afford to undertakings the right to rely, on the basis of the prohibition of acts of unfair competition, on infringements of the substantive provisions of that regulation allegedly committed by their competitors.
57. The parties have given diametrically opposed answers to that question. On the one hand, according to the Commission and ND, the system of remedies introduced by the provisions of Chapter VIII of the GDPR, interpreted in the light of the objectives of that regulation, must be seen as an exhaustive system, excluding any possibility for the Member States to make provision for alternative remedies in national law.
58. On the other hand, according to the German Government, the system of remedies established by the provisions of Chapter VIII of the GDPR must be seen as a minimal set of remedies that can be supplemented by the Member States. The non-exhaustive nature of such a system is justified by the fact that the GDPR also has the objective of protecting the conditions of competition and preventing distortions that might result from differences in the levels of data protection and that the possibility for a competitor to rely on an infringement of the substantive provisions of that regulation by another competitor would strengthen the operational nature of the regulation.
59. The parties therefore focused their observations around whether the system of remedies provided for in the GDPR had to be seen as a system of exhaustive harmonisation, which in their submission would determine whether the Member States could make provision in their national law for alternative remedies to those established by that regulation.
60. However, although the determination of the exhaustive or non-exhaustive nature of the system of remedies is a relevant element for providing a useful answer to the first question, it seems to me, for the reasons which I shall set out, that in carrying out such an analysis it is necessary first of all to examine the underlying question of the identification of the persons who benefit from the protection afforded by the norms, both substantive and procedural, of the GDPR. If the undertakings responsible for processing the data had to be considered to be holders of rights granted by the GDPR, I am of the view that that regulation would have to be interpreted as requiring national law to put in place remedies aimed at the assertion of those rights. I shall therefore begin my analysis with that point, before answering the question whether the system of remedies established by the GDPR must be seen as an exhaustive system in the sense that excludes the possibility offered under national law to an undertaking to bring an action for an injunction, based on the prohibition of acts of unfair competition, against a competitor in reliance on the infringement by that competitor of the provisions of that regulation.
1. Identification of the holders of the rights granted by the GDPR
61. I shall endeavour first of all to clarify the need for the holders of those rights to be identified, then identify them and, last, explain the effect of the data subjects being identified as the sole beneficiaries of the rights granted by the GDPR as regards the answer to the first question.
(a) The need to determine the holders of the rights protected by the GDPR
62. The need, for the purpose of answering the first question, to identify first of all the holders of the rights protected by the GDPR before addressing the question of the exhaustive nature of the system of remedies established by that regulation, is explained, in my view, by in two ways.
(1) The obligation for Member States to make provision for actions to enforce a right derived from EU law
63. I note that it has consistently been held that, just as EU law imposes burdens on individuals, it is also intended to give rise to rights which become part of their legal assets, (16) the Court emphasising in that regard that those rights arise, inter alia, by virtue of obligations imposed both on individuals and on the Member States and the EU institutions. (17) Any obligation imposed on a natural or legal person generally has the correlative effect of granting a right for the benefit of another person.
64. It is also settled law that any right conferred on an individual by EU law also entails the existence of a remedy aimed specifically at the enforcement of that right, while, in the absence of specific rules of EU law for that purpose, it is for the Member States to ensure respect for the rights in question within the framework of domestic law remedies. (18) It is clear from the case-law that the national courts must protect the rights which the provisions of EU law confer on individuals. (19)
65. If, as the German Government maintains, the GDPR had to be interpreted as protecting, in addition to data subjects, the conditions of competition on the market and therefore, ultimately, undertakings, that regulation would have to be considered to give rise to rights which become part of the legal assets of those undertakings. (20)
66. In those circumstances, in the absence of explicit provisions of EU law to that end, rights which undertakings derive from the GDPR would have to be enforceable in accordance with the remedies provided for by the Member States.
67. It would follow that, without there being any need to address the exhaustive or non-exhaustive nature of the remedies laid down in the GDPR, the answer to the first question would have to be that Chapter VIII of that regulation must be interpreted not as not precluding the Member States from being able to allow a competitor to bring an action against another undertaking in reliance on an infringement of that regulation but, what is much more, as requiring that compliance with its provisions could be enforced in an action brought by an undertaking against a competitor in reliance on the infringement of those provisions by that competitor. (21)
68. The answer to the first question therefore does indeed, in my view, depend on the holders of the rights conferred by the GDPR being identified.
(2) The twofold dimension of the exhaustiveness of a system of remedies
69. The actual concept of ‘exhaustiveness of a system of remedies’ may cover two separate dimensions, assuming a different analysis and requiring the prior identification of the persons holding the rights respect of which is ensured by such a system.
70. The first dimension applies to the exhaustive nature of the system of remedies by reference to any other remedies designed to protect the same right. In other words, it is a question of the exhaustiveness of the remedies provided for in EU law for the protection of the rights which its norms confer on individuals. The Court has already ruled, in its case-law, on the impact of the exhaustive nature of the remedies provided for in EU law for the protection of a right which is itself provided for by EU law. By way of illustration, it has thus consistently held that a liability regime exhaustively harmonised by EU law may nonetheless exist alongside an alternative liability regime provided for by national law based on the same facts and the same basis on condition that that harmonised regime is not adversely affected and its objectives and effects are not undermined. (22) The exhaustive nature of a system of remedies provided for by EU law does not therefore suffice on its own to preclude the possibility for a Member State to provide for an alternative remedy under national law based on the same right, provided that certain conditions are met.
71. The second dimension of the concept of ‘exhaustivity of a system of remedies’ provided for by EU law is wider and refers to exhaustivity by reference to any other remedy exercised by persons who are not directly the holders of rights conferred by EU law, but who nonetheless rely on EU law in the context of an action available under national law. Such a concept of the exhaustivity of a system of remedies established by EU law therefore calls for a different analysis. (23)
72. In that regard, too, it is therefore necessary, in order to carry out a relevant analysis of the possible exhaustive nature of the system of remedies provided for by the GDPR, to determine beforehand the holders of the rights which that regulation grants, which I shall endeavour to do in the following reasoning.
(b) The identification of the holders of rights protected by the GDPR
73. The scope ratione personae of the protection granted by the GDPR must, in my view, be determined in the light of both the objectives and the content of that regulation.
74. As regards, first of all, the objectives of the GDPR, the German Government claims in that regard that that regulation aims, apart from the objective of ensuring a high and coherent level of protection of natural persons, at establishing equal conditions of competition.
75. Admittedly, recital 9 of the GDPR refers to the fact that the differences in the protection of the right to the protection of personal data with regard to their processing may distort competition. The fact nonetheless remains that, to my mind, such an explanation cannot be interpreted as making the guarantee of such free and undistorted competition an objective of the GDPR. The fact that disparities between the laws of the Member States as regards norms imposed on undertakings give rise to distortions of competition seems to me to be a simple observation, which is not specific to the GDPR. Where substantive provisions circumscribe the action of undertakings on the market more strictly in one Member State than in another, it necessarily follows that the undertakings active in the latter State have a certain competitive advantage by comparison with those established in the former State, which any harmonisation measure is likely to offset.
76. In my view, such an interpretation seems to be confirmed by the reference, in recital 9 of the GDPR, to the need to ensure ‘the free flow of personal data throughout the Union’, which is potentially threatened owing to the disparity of the national legal orders.
77. Furthermore, as the Commission submitted at the hearing, recital 9 of the GDPR is aimed not at the competition that exists between all undertakings but primarily at the competition between the undertakings of two different Member States that is caused by different legal frameworks. In other words, the essential aim is to guarantee equal conditions of competition in the various Member States by subjecting undertakings to harmonised standards, even where those standards incidentally have the effect that no undertaking benefits from a competitive advantage by comparison with other undertakings within the same Member State.
78. In my view, therefore, the GDPR does not have the objective of ensuring free and undistorted competition within the internal market.
79. Next, I observe that none of the substantive provisions of the GDPR is intended to ensure free and undistorted competition between undertakings and to make them the beneficiaries of the protection which that regulation establishes. On the contrary, those provisions are essentially intended to impose obligations on the undertakings responsible for processing the data. While it is true, as I have mentioned, that any obligation imposed on a natural or legal person necessarily has the correlative effect of granting a right to a different person, the only beneficiaries of the rights in question are, however, not the undertakings but the persons whose data are processed by those undertakings. The title of the GDPR is evocative in that respect, as it refers only to the protection of the data of natural persons.
80. Last, as regards the procedural provisions of Chapter VIII of the GDPR, I would emphasise, as I have already observed, that they make remedies available only to the data subjects and the entities responsible for representing them. That limitation of the persons able, under the provisions of the GDPR, to bring legal proceedings in reliance on an infringement of the protection of their personal data seems to me to indicate clearly that they are the only beneficiaries of that protection. In my view, it would be incoherent also to make the GDPR an instrument for the protection of the rights of competitors when that regulation does not provide for any remedy that would enable them to bring an action against an infringement of those rights, when such actions are expressly provided for with respect to the protection of the rights of data subjects.
81. I am therefore of the view that undertakings are not beneficiaries of the protection provided for by the GDPR, as that regulation grants rights only to data subjects.
(c) The impact of the interpretation of the GDPR as a norm that protects only data subjects
82. The interpretation of the GDPR according to which that regulation grants rights not to undertakings but only to data subjects leads me to a number of conclusions.
83. In the first place, as I have stated, in my view that interpretation means that it cannot be considered that compliance with the provisions of the GDPR must be enforceable in the context of an action brought by an undertaking against a competitor in reliance on an infringement of those provisions by that competitor.
84. In the second place, in so far as the circle of beneficiaries of the rights conferred by the GDPR is limited solely to data subjects, the Court’s case-law relating to the possibility for Member States to provide, in national law, further remedies for the holders of those rights, on condition that the harmonised system of remedies is not adversely affected and its objectives are not undermined, (24) is not in my view directly transposable to the situation in question. The case-law in question may however, as I shall demonstrate, serve as a basis for the analysis of that situation.
85. According to that meaning of the concept of ‘exhaustiveness of a system of remedies’, it must be determined whether the system of remedies established by the GDPR is to be understood as an exhaustive system in the sense that it precludes remedies other than those provided for in that regulation being made available, in national law, for the benefit of data subjects.
86. What is at issue in the main proceedings is an action brought by an undertaking which is not among the holders of the rights granted by the GDPR.
87. In those circumstances, having regard to the fact that the GDPR confers no rights on undertakings and their competitors, the only relevant issue is whether the system of remedies established by the GDPR must be understood as an exhaustive system in the sense that that regulation also precludes undertakings from relying on an infringement of its provisions in the context of remedies provided for by national law, which I shall now attempt to determine.
2. The possibility of actions based on national law being brought by persons who are not holders of the rights granted by the GDPR
88. The question whether the provisions relating to the system of remedies provided for by the GDPR preclude undertakings from relying on an infringement of the provisions of that regulation in the context of actions provided for by national law seems to call for a two-stage answer.
89. In order to answer that question, it is necessary to examine, first, the possibility for undertakings to rely on the provisions of the GDPR where they are not holders of the rights granted by those provisions and, second, the conditions of the interaction between such actions and the system of remedies provided for by that regulation.
90. As regards, in the first place, the possibility for undertakings to rely on the provisions of the GDPR, I note that they are able to do so in actions based on national law, such as the action at issue in the main proceedings, only incidentally. More precisely, the undertaking brings an action on the basis of national law, namely the prohibition of acts of unfair competition. The unfairness of the act in question is therefore the consequence of an infringement of the GDPR. In other words, the action is not based on an infringement of the provisions of the GDPR, but takes such an infringement into account in an incidental manner. (25)
91. The Court has already accepted that data may be taken into account in such an incidental manner, in what admittedly was a different context. The Court held, in the judgment in Meta Platforms and Others (General terms of use of a social network), that ‘a data processing operation carried out by an undertaking in a dominant position and liable to constitute an abuse of that position does not comply with [the GDPR]’ (26) and that it is generally necessary to include ‘the rules on the protection of personal data [in] the legal framework to be taken into consideration by the competition authorities when examining an abuse of a dominant position’. (27) In other words, the Court accepts that an infringement of the provisions of the GDPR may constitute an infringement of competition law.
92. Although that was said not in the context of a dispute between individuals but in the context of the examination of an anticompetitive practice by a national competition authority, I see no reason why the possibility of an infringement of the provisions of the GDPR being taken into account in an incidental manner should be limited to that situation.
93. First, as regards competition law, since it is accepted that an infringement of the provisions of the GDPR may be taken into account in a public enforcement matter, in my view it should also be possible for such an infringement to be taken into account in private enforcement and, therefore, in disputes between individuals which are not primarily based on an infringement of a right conferred by the GDPR, unless it is accepted that individuals cannot obtain compensation for the harm caused by an infringement of competition law which has nonetheless been established by a competition authority.
94. Second, as Advocate General Richard de la Tour has observed, the protection of personal data may have ‘ramifications … in other areas relating, in particular, to employment law, competition law or even consumer law’. (28) To my mind, the influence which the GDPR thus has in other areas must mean that its provisions may be taken into account in actions which are primarily based on provisions having no connection with that regulation.
95. As regards, in the second place, the question of the interaction between national actions in which the provisions of the GDPR are taken into account in an incidental manner and the system of remedies established by that regulation, I am of the view that such actions should be accepted only on condition that they do not undermine the system of remedies provided for in that regulation or the attainment of its objectives.
96. Those conditions were developed in the case-law concerning the exhaustiveness of a harmonised system of remedies vis-à-vis national actions based on the same law. (29) To my mind, therefore, there are even more compelling reasons why those conditions must be satisfied in a situation involving national rules which confer on undertakings the right to bring an action not on the basis of the same law but on the basis of national law, but nonetheless relying on infringements of the substantive provisions of the GDPR allegedly committed by another undertaking.
97. It must therefore be ascertained whether those conditions are satisfied in the present case.
98. As regards, first of all, whether an action for an injunction brought by an undertaking against a competitor in reliance on an infringement by the competitor of the provisions of the GDPR undermines the system of remedies provided for in Chapter VIII of that regulation, I am of the view that that is not the case. Those remedies allow data subjects, or the not-for-profit bodies, organisations or associations authorised by them, to lodge a complaint with a supervisory authority (Article 77), to bring proceedings against a decision of a supervisory authority (Article 78), to bring proceedings against a controller or a processor (Article 79) or to receive compensation from the controller or processor for the damage suffered as a result of an infringement of the regulation (Article 82).
99. In other words, as the Court makes clear in its case-law, Chapter VIII of the GDPR ‘governs … the legal remedies enabling the protection of the data subject’s rights where his or her personal data have been the subject of processing that is allegedly contrary to the provisions of that regulation’, while the protection of those rights may ‘be sought either directly by the data subject or by an authorised entity, whether there is a mandate to that end or not’. (30)
100. In those circumstances, the action which an undertaking might bring against a competitor in reliance on an infringement of the GDPR by that competitor is indeed ultimately based on the infringement of the same provision, but does not pursue the same objective and is not between the same parties. In other words, such an action provided for by national law is not intended to ensure respect for the rights of which the data subjects are beneficiaries.
101. It follows, to my mind, that the actions made available to data subjects by the system of remedies established by the GDPR are preserved and, even where an action is brought by an undertaking against a competitor, may still be exercised.
102. In that regard, I must also make clear that I do not see to what extent, as the Commission maintains, such actions would be liable to undermine the public system for supervising the application of the right established by the GDPR, in so far as that regulation also explicitly provides, alongside such a public system, for the possibility for a data subject to rely on the rights which he or she derives from the GDPR in the context of judicial proceedings.
103. As regards, next, the objectives pursued by the GDPR, it follows from recital 10 thereof that that regulation aims, inter alia, to ensure both a high level of protection of natural persons and the consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data.
104. In my view the attainment of none of those objectives seems to be threatened by the possibility afforded to an undertaking to bring an action for an injunction, based on the prohibition of acts of unfair competition, against a competitor in reliance on an infringement by that competitor of the provisions of the GDPR. First, the high level of protection of natural persons with regard to the processing of their personal data seems to me to be attained, indeed strengthened, by the possibility, extended to an undertaking, of relying on an infringement of the substantive provisions of the GDPR by a competitor. Second, the fact that those provisions may be relied on more widely, by persons other than just data subjects, does not undermine the attainment of the objective of consistent and homogenous protection within the European Union. Even if the Member States did not provide for such a possibility, that would not result in a fragmentation of the implementation of data protection in the European Union, as the substantive provisions of the GDPR are binding in the same way on all undertakings and compliance with those provisions is ensured by the remedies provided for in that regulation.
105. As regards, last, the effectiveness of the GDPR, far from being undermined by the possibility offered to an undertaking to bring an action for an injunction against a competitor in reliance on an infringement of the GDPR, it seems to me, as I have stated, to be reinforced by the fact that compliance with the provisions of that regulation may also be enforced in judicial proceedings distinct from those provided for by the system of remedies established by that regulation.
106. In those circumstances, I am of the view that an action for an injunction brought by an undertaking against a competitor in reliance on the infringement by that competitor of the provisions of the GDPR may exist alongside the remedies established in Chapter VIII of the GDPR in so far as those provisions are not thereby adversely affected and the objectives and effectiveness of that regulation are not undermined.
107. I therefore propose that the Court should rule that the provisions of Chapter VIII of the GDPR do not preclude national rules which afford undertakings the right to rely, on the basis of the prohibition of acts of unfair competition, on infringements of the substantive provisions of that regulation which are alleged to be committed by their competitors.
V. Conclusion
108. In the light of all the foregoing considerations, I propose that the questions for a preliminary ruling referred by the Bundesgerichtshof (Federal Court of Justice, Germany) should be answered as follows:
Article 4(15) and Article 9(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
must be interpreted as meaning that the data of customers of a pharmacist which are transmitted when an order is placed on an online sales platform for pharmacy-only but non-prescription medicines do not constitute ‘data concerning health’.