Online Pharmacy – Court Ruling (Germany, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court upheld a decision against an online pharmacy for collecting unnecessary personal data during the ordering process. The pharmacy was found to violate data protection rules by asking for customers' birth dates and titles without a clear need. This case emphasizes the importance of collecting only essential customer data.
What happened
An online pharmacy required customers to provide their birth date and title without a clear necessity for these details.
Who was affected
Customers ordering from the online pharmacy, especially those who did not create an account.
What the authority found
The court ruled that the pharmacy's collection of unnecessary personal data violated data protection principles of lawfulness and data minimization.
Why this matters
This case highlights the need for businesses to justify data collection practices and ensure they only gather information essential for their services, reinforcing data minimization principles.
GDPR Articles Cited
The controller operates an online pharmacy located in Germany. The pharmacy allowed customers to order medical products with or without a customer account. For any order without an account, however, customers were required to enter their title (Ms./Mr.) and their date of birth in the online form. After receiving a complaint from a data subject, the LfD (DPA of Lower Saxony) investigated the case. The controller argued that information on the date of birth was required to ensure the full legal capacity of the customer and was therefore necessary to perform the contract. Furthermore, obtaining the birth date was required to comply with legal obligations. Since medications were generally associated with health risks and side effects and they must be dosed appropriately for the customer’s age. In terms of the title, the controller argued that collecting such data would allow for a more customer-friendly communication and therefore serve an overriding legitimate interest. The DPA found that the blanket collection of such data irrespective of a gender or age specific application of the ordered medication violates the principles of lawfulness and data minimization. Accordingly, the corresponding query must be omitted if it is not necessary for a gender- or age-appropriate dosing. Furthermore, the controller lacked to mention the purpose of collecting gender data to pursue legitimate interests which violates the principle of transparency. Consequently, the DPA ordered the controller to refrain from the collection of such information in the online ordering process where the necessity of such information is not indicated by the type of the medication ordered. The Administrative Court of Hanover held that the DPA’s order against the online pharmacy is lawful and does not violate the controller’s rights. While the controller has special contractual duties to provide information on their products and proper use, including an age-appropriate dosage, this does not justify the co
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Online Pharmacy in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Online Pharmacy - Germany (2021). Retrieved from cookiefines.eu
Last updated: