Datenschutz Evidence Brief
Geöffnetes Apothekenpaket mit Tablettenblistern neben dem gedruckten EuGH-Urteil C-21/23 Lindenapotheke auf einem Anwaltsschreibtisch

C-21/23 Lindenapotheke: A Pharmacy-Only, Non-Prescription Order Is Health Data under Art. 9 GDPR

In C-21/23, the Grand Chamber of the CJEU held that order data for pharmacy-only, non-prescription medicines constitutes health data within the meaning of Art. 9 GDPR. Swiss platforms with EU reach must review their legal basis, ordering process, and due diligence — and should expect the first challenge to come from a competitor, not a supervisory authority.

Casimir von Firn, MLaw

On 4 October 2024, the Grand Chamber of the Court of Justice of the European Union ruled in Case C-21/23 Lindenapotheke: the name, delivery address, and product details submitted when a customer orders a pharmacy-only, non-prescription medicine online constitute health data within the meaning of Art. 9(1) GDPR. The argument that no health data arises in the absence of a medical prescription no longer holds. Anyone supplying customers in the EU now needs either explicit consent under Art. 9(2)(a) GDPR or another legal basis under Art. 9(2), and should expect the first letter to come not from the supervisory authority but from a competitor.

ND operates pharmacy-only medicine sales on the Amazon Marketplace under the trading name Lindenapotheke. DR, a competing pharmacist, sought an injunction on the ground that processing health data without the explicit consent of the person placing the order was unlawful. The case reached Luxembourg via the appellate courts and the BGH. The Grand Chamber followed the line in OT (C-263/21): data falls within Art. 9(1) GDPR as soon as it enables inferences about the health of the data subject, even where those inferences are probabilistic. Combining a person’s name, delivery address, and specific pharmaceutical product enables precisely that inference. The fact that the inference may be ambiguous in individual cases — an order placed on behalf of a third party, bulk purchasing — does not take the processing outside the provision. The Bird & Bird commentary captures the point accurately: a probabilistic link suffices; there is no requirement that the data lead to a definitive conclusion about a medical condition. The Advocate General had taken the opposite view — without a prescription, any inference about a health condition was too uncertain to engage Art. 9(1) — but the Grand Chamber declined to follow that line.

The territorial scope has immediate implications for Swiss platforms. Art. 3(2)(a) GDPR covers processing by controllers outside the EU where they offer goods or services to persons in the EU. Every pharmacy, drugstore, or telemedicine platform based in Switzerland that delivers to EU addresses therefore falls within the GDPR’s market-targeting principle — the standard commercial case in cross-border distance selling. The DSG runs in parallel: Art. 5(c) DSG classifies health data as sensitive personal data, and Art. 31 DSG requires a justification for their processing. The Federal Data Protection and Information Commissioner (EDÖB) has not published a specific position on whether the CJEU’s interpretation carries across to the parallel definition in the DSG for pharmacy distance selling. A transfer of the CJEU’s reasoning to the DSG’s equivalent concept is nonetheless the natural reading; the Walder Wyss data-law group reads the judgment in exactly this way as directly relevant to Swiss practice.

The second question answered by the CJEU is central to the practical enforcement risk. Member States may (the Grand Chamber holds) grant competitors of a GDPR infringer the right to challenge the breach as an unfair commercial practice in civil proceedings. In Germany, § 3a UWG therefore applies in full. For Switzerland, the symmetry is open: Art. 2 UWG requires an “unfair” act within the meaning of commercial good faith, and Swiss case law on the breach-of-law doctrine is narrower than the approach under § 3a UWG. Whether a competing pharmacist can succeed against a Swiss platform on the basis of a systematic DSG infringement has not been definitively resolved — the claim becomes plausible only once it is deployed as a market strategy and credibly reaches the good-faith threshold under Art. 2 UWG.

Three items belong on the compliance agenda of every Swiss pharmacy, drugstore, or telemedicine platform with EU reach. First, the legal basis. Art. 9 data require a two-layer legal basis: a ground under Art. 6(1) GDPR and, independently, one of the grounds in Art. 9(2) GDPR. For pharmacy distance sales, the Art. 9(2) layer is typically explicit consent under Art. 9(2)(a) GDPR, which must be demonstrably obtained under Art. 7(1) GDPR and remain revocable at any time under Art. 7(3) GDPR. Second, the ordering process. Consent must be obtained before processing begins — in practice, a separate modal when the pharmacy-only item is added to the shopping basket, explaining its classification as health data, with a standalone entry in the order history to document compliance. It remains open how valid consent can be obtained where an order is placed on behalf of a third party unknown to the seller (the Grand Chamber addresses this scenario in para. 88 without resolving the consent mechanism). This point must be resolved internally before the modal goes live. Third, M&A due diligence. Any party preparing an acquisition in the pharmacy, telemedicine, or nutritional supplements space over the next twelve months must conduct a systematic review of the target’s Lindenapotheke compliance status. A pervasive breach belongs in the disclosure letter and in the negotiation of the warranty schedule — not in the standard representations and warranties package.

The substantive finding is settled: pharmacy-only order data falls within Art. 9 GDPR; the extension to vitamins, sports nutrition, and other online pharmacy ranges follows the same probabilistic logic and will likely yield a different result only in specific cases. In Germany, the BGH judgment of 27 March 2025 in the principal proceedings I ZR 222/19 has also confirmed that both competitor actions and association claims are available, and that the interim injunction remains the realistic escalation tool. What remains open is Swiss enforcement — both the scope of the UWG lever and the EDÖB’s position on cross-border pharmacy distance selling. What will decide that question is the next UWG case before a Swiss civil court, or a published EDÖB statement on the transposition of the CJEU’s interpretation. The consent overhaul is due regardless — the GDPR’s territorial reach already covers cross-border distance selling today.