In a landmark decision from October 4, 2024, the Court of Justice of the European Union (CJEU) has expanded upon the interpretation of ‘data concerning health’ under the General Data Protection Regulation (GDPR). This ruling has profound implications for businesses in the healthcare sector, notably impacting online pharmacies and e-commerce platforms that deal with health-related products.
Key Findings from the Ruling
– Health Data Definition: The CJEU clarified that the purchase information of pharmacy-only medicinal products qualifies as ‘data concerning health’ under Article 4(15) of the GDPR. This determination is based on the potential of such data to reveal insights into an individual’s health status.
– Processing Guidelines: The court emphasized that processing health data without meeting specific conditions, as outlined in Article 9(2) of the GDPR, is generally prohibited. These conditions include scenarios such as obtaining explicit consent from the data subject or meeting obligations related to employment and social security legislation.
– Enforcement Rights for Competitors: The ruling also paved the way for competitors to potentially instigate legal proceedings against businesses for non-compliance with GDPR regulations if national law permits and if the violation affects their competitive interests.
Implications for E-commerce and Health-Related Businesses
This decision holds significant repercussions for the compliance responsibilities of businesses operating in the health sector, particularly those in e-commerce. Companies involved in selling pharmacy-only medicinal products must now treat customer purchase data as sensitive health information.
Moreover, e-commerce platforms facilitating third-party sales of health-related products may now be implicated in processing sensitive health data. Even if these platforms do not directly sell the products themselves, the ancillary data like purchase details may contain health-related information.
Compliance Measures for Businesses
For organizations handling health-related data, it is crucial to reassess their data collection and processing protocols. Consider the following actions:
– Review Data Handling Practices: Regularly evaluate whether collected data could indirectly or directly disclose health-related information.
– Ensure Explicit Consent: Implement robust consent mechanisms in alignment with GDPR requirements, especially for sensitive data categories.
– Conduct Vendor Audits: Maintain rigorous audits for any third-party vendors to ensure they comply with GDPR standards.
– Staff Training: Provide comprehensive GDPR compliance training for staff managing sensitive data.
Organizations can benefit from legal consultations to keep abreast of evolving GDPR interpretations and ensure their data practices align with current legal expectations.
Original source link: [CJEU Ruling Expands GDPR Rules for Health-Related Data](https://www.loganpartners.com/cjeu-ruling-expands-gdpr-rules-for-health-related-data/?utm_source=mondaq&utm_medium=syndication&utm_content=articleoriginal&utm_campaign=article).