Provisional text

JUDGMENT OF THE COURT (Grand Chamber)

4 October 2024 (*)

( Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Chapter VIII – Remedies – Medicinal products marketed by a pharmacist on an online platform – Action brought before the national civil courts by a competitor of that pharmacist on the basis of the prohibition of unfair commercial practices for infringement by the pharmacist of the obligations laid down by that regulation – Standing to bring proceedings – Article 4(15) and Article 9(1) and (2) – Directive 95/46/EC – Article 8(1) and (2) – Concept of ‘data concerning health’ – Conditions for the processing of those data )

In Case C‑21/23,

REQUEST for a preliminary ruling under Article 267 TFEU from the Bundesgerichtshof (Federal Court of Justice, Germany), made by decision of 12 January 2023, received at the Court on 19 January 2023, in the proceedings

ND

v

DR,

THE COURT (Grand Chamber),

composed of K. Lenaerts, President, L. Bay Larsen, Vice-President, K. Jürimäe, C. Lycourgos, E. Regan, F. Biltgen and N. Piçarra, Presidents of Chambers, S. Rodin, P.G. Xuereb, L.S. Rossi, I. Jarukaitis, N. Jääskinen and I. Ziemele (Rapporteur), Judges,

Advocate General: M. Szpunar,

Registrar: N. Mundhenke, Administrator,

having regard to the written procedure and further to the hearing on 9 January 2024,

after considering the observations submitted on behalf of:

–        ND, by A. Datta, M. Mogendorf and W. Spoerr, Rechtsanwälte,

–        DR, by M. Bahmann, Rechtsanwalt,

–        the German Government, by J. Möller and P.-L. Krüger, acting as Agents,

–        the European Commission, by A. Bouchagiar, F. Erlbacher and H. Kranenborg, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 25 April 2024,

gives the following

Judgment

1        This request for a preliminary ruling concerns the interpretation of Article 9(1) and the provisions in Chapter VIII of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’), and of Article 8(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).

2        The request has been made in proceedings between ND and DR, two natural persons each operating a pharmacy, concerning the marketing by ND, on an online platform, of pharmacy-only medicinal products.

 Legal context

 European Union law

3        Article 8 of Directive 95/46, entitled ‘The processing of special categories of data’, provided:

‘1.      Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.

2.      Paragraph 1 shall not apply where:

(a)      the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject’s giving his consent; or

…’

4        Recitals 9 to 11, 13, 35, 51, 53, 141 and 142 of the GDPR are worded as follows:

‘(9)      The objectives and principles of Directive [95/46] remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. Such a difference in levels of protection is due to the existence of differences in the implementation and application of Directive [95/46].

(10)      In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. … This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (“sensitive data”). …

(11)      Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.

…

(13)      In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. …

…

(35)      Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject.

…

(51)      Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. … Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

…

(53)      Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of [healthcare] services and systems … Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. …

…

(141)      Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the [Charter of Fundamental Rights of the European Union (“the Charter”)] if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. …

(142)      Where a data subject considers that his or her rights under this Regulation are infringed, he or she should have the right to mandate a not-for-profit body, organisation or association which is constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest and is active in the field of the protection of personal data to lodge a complaint on his or her behalf with a supervisory authority, exercise the right to a judicial remedy on behalf of data subjects or, if provided for in Member State law, exercise the right to receive compensation on behalf of data subjects. A Member State may provide for such a body, organisation or association to have the right to lodge a complaint in that Member State, independently of a data subject’s mandate, and the right to an effective judicial remedy where it has reasons to consider that the rights of a data subject have been infringed as a result of the processing of personal data which infringes this Regulation. That body, organisation or association may not be allowed to claim compensation on a data subject’s behalf independently of the data subject’s mandate.’

5        Article 1 of that regulation, entitled ‘Subject matter and objectives’, provides:

‘1.      This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

2.      This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

3.      The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.’

6        Article 4 of that regulation provides:

‘For the purposes of this Regulation:

(1)      “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2)      “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

…

(7)      “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

…

(15)      “data concerning health” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

…

(21)      “supervisory authority” means an independent public authority which is established by a Member State pursuant to Article 51;

…’

7        Chapter II of the GDPR, entitled ‘Principles’, comprises Articles 5 to 11 of the regulation.

8        Article 5 of that regulation sets out the principles relating to the processing of personal data, whereas Article 6 of that regulation lays down the conditions for lawful processing.

9        In the words of Article 9 of that regulation, entitled ‘Processing of special categories of personal data’:

‘1.      Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

2.      Paragraph 1 shall not apply if one of the following applies:

(a)      the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

…

(h)      processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

…’

10      Article 51 of the GDPR, entitled ‘Supervisory authority’, provides, in paragraph 1:

‘Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (“supervisory authority”).’

11      Chapter VIII of the GDPR, entitled ‘Remedies, liability and penalties’, comprises Articles 77 to 84 of that regulation.

12      Article 77 of that regulation, entitled ‘Right to lodge a complaint with a supervisory authority’, provides, in paragraph 1:

‘Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.’

13      Article 78 of that regulation, entitled ‘Right to an effective judicial remedy against a supervisory authority’, states, in paragraph 1:

‘Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.’

14      Article 79 of that regulation, entitled ‘Right to an effective judicial remedy against a controller or processor’, provides, in paragraph 1:

‘Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.’

15      Article 80 of the GDPR, entitled ‘Representation of data subjects’, is worded as follows:

‘1.      The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law.

2.      Member States may provide that any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to Article 77 and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.’

16      Article 82 of that regulation, entitled ‘Right to compensation and liability’, provides, in paragraph 1:

‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.’

17      Article 83 of that regulation, entitled ‘General conditions for imposing administrative fines’, provides, in paragraph 1:

‘Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.’

18      Article 84 of that regulation, entitled ‘Penalties’, provides, in paragraph 1:

‘Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.’

19      Article 94 of the GDPR stipulates, in paragraph 1:

‘Directive [95/46] is repealed with effect from 25 May 2018.’

20      Article 99 of the regulation provides:

‘1.      This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

2.      It shall apply from 25 May 2018.’

 German law

 Law against unfair competition

21      Paragraph 3 of the Gesetz gegen den unlauteren Wettbewerb (Law against unfair competition) of 3 July 2004 (BGB1. 2004 I, p. 1414), in the version applicable to the main proceedings (‘the UWG’), entitled ‘Prohibition of unfair commercial practices’, provides, in subparagraph 1:

‘Unfair commercial practices shall be prohibited.’

22      Paragraph 3a of the UWG, entitled ‘Infringement of the law’, is worded as follows:

‘Anyone who infringes a statutory provision intended, inter alia, to regulate market conduct in the interest of market players acts unfairly where that infringement is capable of having an appreciable adverse effect on consumers, other market players or competitors.’

23      Paragraph 8 of that law, entitled ‘Cease and desist and prohibitory injunction’, states:

‘(1)      Any commercial practice which is prohibited under Paragraph 3 or Paragraph 7 may give rise to an order to cease and desist and, where there is a risk of recurrence, a prohibitory injunction. …

…

(3)      The injunctive relief referred to in subparagraph 1 may be claimed by:

1.      any competitor who markets or requests goods or services in a non-negligible and non-occasional manner,

…’

 Law on the marketing of medicinal products

24      The movement of medicinal products is governed by the Gesetz über den Verkehr mit Arzneimitteln (Law on the marketing of medicinal products) of 24 August 1976 (BGBl. 1976 I, p. 2444), in the version published on 12 December 2005 (BGBl. 2005 I, p. 3394), as applicable to the facts in the main proceedings, draws a distinction between medicinal products sold in pharmacies and those sold on prescription, the latter being subject to Paragraph 48, entitled ‘Prescription requirement’.

 The dispute in the main proceedings and the questions referred for a preliminary ruling

25      ND, who operates a pharmacy under the trade name ‘Lindenapotheke’, has been marketing, since 2017, pharmacy-only medicinal products on the online platform ‘Amazon-Marketplace’ (‘Amazon’). When ordering those medicinal products online, ND’s customers must enter information, such as their name, the delivery address and details required for individualising the products.

26      DR, who also operates a pharmacy, brought an action before the Landgericht Dessau-Roßlau (Regional Court, Dessau-Roßlau, Germany) seeking an order for ND to cease, subject to periodic penalty payments, marketing on Amazon pharmacy-only medicinal products, so long as there is no guarantee that customers will be able to give their prior consent to the processing of data concerning health.

27      In support of his action, DR claimed that the marketing on Amazon of pharmacy-only medicinal products was unfair, on account of the failure to comply with the legal requirements for obtaining the customer’s consent required by the legislation on the protection of personal data.

28      By decision of 28 March 2018, the Landgericht Dessau-Roßlau (Regional Court, Dessau-Roßlau) upheld the action.

29      ND brought an appeal against that decision before the Oberlandesgericht Naumburg (Higher Regional Court, Naumburg, Germany), which dismissed the appeal by decision of 7 November 2019.

30      The appeal court held that the marketing on Amazon of pharmacy-only medicinal products constituted an unfair practice and was therefore prohibited under Paragraph 3(1) of the UWG. In its view, such marketing of medicinal products entails the processing of data concerning health, which is prohibited under Article 9(1) of the GDPR, in the absence of explicit consent from the customers purchasing medicinal products, in accordance with Article 9(2)(a) of that regulation. The rules laid down by that regulation constitute statutory provisions intended to regulate market conduct within the meaning of Paragraph 3a of the UWG. Furthermore, under Paragraph 8(3)(1) of the UWG, as competitor DR is entitled to plead infringement of those rules by ND by means of an application for injunctive relief before the civil courts.

31      ND lodged an appeal on a point of law with the Bundesgerichtshof (Federal Court of Justice, Germany), which is the referring court.

32      That court states that the outcome of the dispute depends on the interpretation of Chapter VIII of the GDPR and Article 9(1) of that regulation, as well as Article 8(1) of Directive 95/46.

33      In the first place, the referring court asks whether, since the repeal of Directive 95/46 with effect from 25 May 2018, the date from which the GDPR became applicable, it is still open to the Member States to make provision, under national law, for competitors of an undertaking, such as those referred to in Paragraph 8(3)(1) of the UWG, to have standing to put an end, by means of an action before a civil court, to infringements of the provisions of the GDPR committed by that undertaking, on the basis of the prohibition of unfair commercial practices.

34      The referring court observes that that question gives rise to divergent answers at national level. Such an answer cannot be inferred unequivocally either from the wording of the provisions of Chapter VIII of the GDPR or from the general scheme of those provisions or from the objective pursued by that regulation.

35      Thus, first of all, as regards the wording of the provisions of Chapter VIII of the GDPR, the referring court states that, admittedly, those provisions do not mention anywhere the possibility for competitors of an undertaking to bring an action against that undertaking, in particular where the infringement of data protection legislation constitutes unfair commercial practices. However, at the same time, those provisions do not formally exclude that possibility.

36      As regards, next, the general scheme of the provisions of Chapter VIII of the GDPR, the referring court points out that, on the one hand, as the Court held in the judgment of 28 April 2022, Meta Platforms Ireland (C‑319/20, EU:C:2022:322, paragraph 57), that regulation seeks to ensure the harmonisation of national legislation on the protection of personal data, which is, in principle, full. However, on the other, the fact that Article 77(1), Article 78(1) and (2) and Article 79(1) of the GDPR each contains the phrase ‘without prejudice to any [other] … remedy’ could preclude the conclusion that monitoring of the application of the law is exhaustively governed by that regulation.

37      Finally, as regards the objective of harmonisation and, in particular, of unification of the level of monitoring of the application of the law within the European Union pursued by the GDPR, the referring court states, first, that the fact that competitors may have standing to bring proceedings under competition law and, consequently, enforce the provisions of data protection law alongside the instruments provided for by the GDPR could run counter to that objective. Furthermore, it is not certain that the system for monitoring the application of the law provided for by that regulation contains a lacuna which needs to be filled by conferring on competitors the possibility of having standing to bring proceedings under competition law. Similarly, competition between the supervisory authorities, on the one hand, and the civil courts, on the other, as regards the monitoring of the application of data protection law would risk encroaching on the powers of the supervisory authorities and leading to divergences, within the European Union, in the monitoring of the application of data protection law.

38      Second, according to the referring court, allowing competitors to bring proceedings under competition law could constitute a further possibility of monitoring the application of the law, which is desirable under the principle of effectiveness (‘effet utile’) in order to ensure the highest possible level of protection of personal data, in accordance with recital 10 of the GDPR.

39      The referring court notes that that question has not been clarified by the case-law of the Court of Justice and that, in particular, in the judgment of 28 April 2022, Meta Platforms Ireland (C‑319/20, EU:C:2022:322), the Court expressly left open the question of a competitor’s standing to bring proceedings.

40      In the second place, the referring court asks whether the data which customers must enter on the online sales platform when ordering medicinal products, such as their name, the delivery address and the information required for individualising the medicinal products ordered, constitute ‘data concerning health’ within the meaning of Article 8(1) of Directive 95/46 and Article 9(1) of the GDPR.

41      According to that court, the answer to that question is not obvious where the medicinal products ordered do not require a prescription. In such a case, it is conceivable that those medicinal products may be intended not for the customers themselves but for third parties, who may not be identifiable.

42      The referring court points out that the wording of those provisions and that of Article 4(15) of the GDPR, read in conjunction with recital 35 of that regulation, do not, on their own, provide an answer to that question.

43      However, in paragraph 125 of the judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija (C‑184/20, EU:C:2022:601), the Court held that the concept of ‘special categories of personal data’, referred to in Article 8(1) of Directive 95/46 and Article 9(1) of the GDPR, must be interpreted broadly in the light of the objective of that regulation, which is to ensure a high level of protection of the fundamental rights and freedoms of natural persons, in particular of their private life, with respect to the processing of personal data concerning them. If such a broad interpretation of that concept were to be adopted, it could be concluded that such information constitutes data concerning health where it is not certain but merely probable that the customers who order the medicinal products are the persons for whom they are intended.

44      The referring court states that the right to injunctive relief, relied on by DR, presupposes that ND’s conduct at issue was prohibited both at the time when it was adopted and at the time when the hearing in the appeal on a point of law took place, and that the first of those periods of time was still governed by Article 8(1) of Directive 95/46, whereas the second is now covered by Article 9(1) of the GDPR.

45      It was in that context that the Bundesgerichtshof (Federal Court of Justice) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1)      Do the rules in Chapter VIII of [the GDPR] preclude national rules which – alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the regulation and the options for legal redress for data subjects – empower competitors to bring proceedings for infringements of [that regulation] against the infringer before the civil courts on the basis of the prohibition of unfair commercial practices?

(2)      Do the data that the customers of a pharmacist who acts as a seller on an online sales platform enter when ordering pharmacy-only but not prescription-only medicines on the sales platform (data such as the customer’s name, delivery address and information required for individualising the pharmacy-only medicine ordered) constitute data concerning health within the meaning of Article 9(1) of the GDPR and of Article 8(1) of [Directive 95/46]?’

 Consideration of the questions referred

 The first question

46      By its first question, the referring court seeks to ascertain whether the provisions of Chapter VIII of the GDPR must be interpreted as precluding national legislation which, alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing that regulation and the remedies available to data subjects, confers on competitors of the person allegedly responsible for an infringement of the laws protecting personal data standing to bring proceedings against that person, by means of an action before the civil courts, for infringements of that regulation and on the basis of the prohibition of unfair commercial practices.

47      It must be recalled, at the outset, that Chapter VIII of the GDPR governs, inter alia, the legal remedies enabling the protection of the data subject’s rights where his or her personal data have been the subject of processing that is allegedly contrary to the provisions of that regulation. The protection of those rights may thus be sought either directly by the data subject, under Articles 77 to 79 of that regulation, or by an authorised entity, whether there is a mandate to that end or not, pursuant to Article 80 thereof (see, to that effect, judgment of 28 April 2022, Meta Platforms Ireland, C‑319/20, EU:C:2022:322, paragraph 53).

48      First, Article 77(1) of the GDPR provides that, without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority. Under Article 78(1) of that regulation, each natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them, without prejudice to any other administrative or non-judicial remedy. Article 79(1) of that regulation guarantees each data subject the right to an effective judicial remedy, without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77 of that regulation.

49      Second, in accordance with Article 80(1) of the GDPR, the data subject has the right to mandate a not-for-profit body, organisation or association, subject to certain conditions, to lodge a complaint on his or her behalf or to exercise, on his or her behalf, the rights referred to in Articles 77 to 79 of that regulation. In addition, in accordance with Article 80(2) of the GDPR, Member States may provide that any body, organisation or association, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority, pursuant to Article 77 of that regulation, and to exercise the rights referred to in Articles 78 and 79 thereof, if it considers that the rights of a data subject under that regulation have been infringed as a result of the processing of personal data concerning him or her.

50      In the present case, it is apparent from the documents before the Court that ND, who operates a pharmacy, markets pharmacy-only medicinal products on Amazon and that, when ordering those medicinal products online, customers must enter data, such as their name, the delivery address and the information required for individualising those medicinal products. However, the action in the main proceedings was brought before a civil court not by those customers, who are data subjects within the meaning of Article 4(1) of the GDPR, on the basis of Article 79 of that regulation, or by an authorised body, organisation or association, with or without of a mandate from a data subject for that purpose, pursuant to Article 80 of that regulation, but by a competitor of that pharmacist on the basis of the prohibition of unfair commercial practices, in respect of infringements by that pharmacist of the provisions of the GDPR.

51      The case in the main proceedings therefore raises the question whether the GDPR precludes a competitor such as DR, who is not a data subject within the meaning of Article 4(1) of that regulation, from having standing to bring such an action before the national civil courts.

52      In that regard, it should be borne in mind that, in interpreting a provision of EU law it is necessary to consider not only its wording but also its context and the objectives pursued by the legislation of which it forms part (see, to that effect, judgment of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság, C‑132/21, EU:C:2023:2, paragraph 32).

53      As regards the wording of the provisions of Chapter VIII of the GDPR, it should be noted that none of them expressly rules out the possibility for a competitor of an undertaking to bring an action before the civil courts against that undertaking on the basis of the prohibition of unfair commercial practices, in respect of the alleged infringement by that undertaking of the obligations laid down by that regulation. On the contrary, it follows from the wording of Article 77(1), Article 78(1) and Article 79(1) of the GDPR, recalled in paragraph 48 above, that the right to lodge a complaint with a supervisory authority and the right to an effective judicial remedy against such an authority and against a data controller or processor, in those provisions, is ‘without prejudice’ to any other administrative, judicial or non-judicial remedy.

54      As regards the context of Chapter VIII of the GDPR, it should be noted that that regulation contains, in Chapter II, a set of substantive provisions relating, inter alia, to the principles relating to the processing of personal data, set out in Article 5, and to the conditions for lawful processing, set out in Article 6, which are intended to ensure full compliance with, inter alia, the fundamental right to the protection of personal data of data subjects, guaranteed in Article 16(1) TFEU and Article 8 of the Charter. The absence, in Chapter VII of the GDPR, of provisions allowing competitors of an undertaking which allegedly infringed those substantive provisions to bring an action to put an end to that infringement is thus explained by the fact that only the data subjects, and not those competitors, are, as the Advocate General observed in point 80 of his Opinion, the beneficiaries of the protection of personal data afforded by that regulation.

55      That said, while the infringement of those substantive provisions is likely to affect primarily the data subjects concerned by the data at issue, it is also liable to adversely affect third parties, as illustrated by the fact that Article 82(1) of the GDPR provides for a right to compensation for ‘any person who has suffered material or non-material damage as a result of an infringement of [that regulation]’. The Court has also already had occasion to hold that the infringement of a rule relating to the protection of personal data may at the same time give rise to an infringement of rules on consumer protection or unfair commercial practices (judgment of 28 April 2022, Meta Platforms Ireland, C‑319/20, EU:C:2022:322, paragraph 78) and may be a vital clue for the purposes of assessing the existence of an abuse of a dominant position within the meaning of Article 102 TFEU (see, to that effect, judgment of 4 July 2023, Meta Platforms and Others (General terms of use of a social network), C‑252/21, EU:C:2023:537, paragraphs 47 and 62).

56      In that context, it is important to recall that access to and use of personal data are of great importance in the context of the digital economy. Access to personal data and the ability to process such data have become a significant parameter of competition between undertakings in the digital economy. Therefore, in order to take account of the reality of this economic development and to ensure fair competition, it may be necessary to take into account the rules on the protection of personal data in the context of the application of competition law and the rules on unfair commercial practices (see, to that effect, judgment of 4 July 2023, Meta Platforms and Others (General terms of use of a social network), C‑252/21, EU:C:2023:537, paragraphs 50 and 51).

57      Furthermore, while it is apparent from Article 1(1) of the GDPR, read in the light, inter alia, of recitals 9 and 13 thereof, that that regulation seeks to ensure the harmonisation of national legislation on the protection of personal data which is, in principle, full, the fact remains that several provisions of that regulation expressly make it possible for Member States to lay down additional, stricter or derogating national rules, which leave them a margin of discretion as to the manner in which those provisions may be implemented (‘opening clauses’) (judgment of 28 April 2022, Meta Platforms Ireland, C‑319/20, EU:C:2022:322, paragraph 57).

58      The Court has already held that this is the case of Article 80(2) of the GDPR, which leaves the Member States a margin of discretion with regard to its implementation and which does not preclude national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, on the basis inter alia of the infringement of the prohibition of unfair commercial practices, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation (judgment of 28 April 2022, Meta Platforms Ireland, C‑319/20, EU:C:2022:322, paragraphs 59 and 83).

59      It is true that the provisions of Chapter VIII of the GDPR do not specifically provide for such an opening clause which would expressly allow Member States to make it possible for a competitor of an undertaking which allegedly infringes the substantive provisions of that regulation to bring an action in order to put an end to that infringement.

60      However, it follows from the wording and context of the provisions of Chapter VIII, recalled in paragraphs 53 to 58 above, that, by adopting that regulation, the EU legislature did not intend to bring about an exhaustive harmonisation of the remedies available in respect of infringements of the provisions of the GDPR and, in particular, did not wish to rule out the availability of such remedies to competitors of the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of national law relating to the prohibition of unfair commercial practices.

61      That interpretation is confirmed by the objectives pursued by the GDPR, which, as is apparent, inter alia, from recital 10 thereof, seeks to ensure a consistent and high level of protection of natural persons with regard to the processing of personal data and to remove obstacles to the flow of such data within the European Union. Recital 11 of that regulation states, furthermore, that effective protection of such data requires the strengthening of the rights of data subjects and of the obligations of those who process and determine the processing of data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States. Recital 13 of that regulation states that in order to ensure a consistent level of protection for natural persons throughout the European Union and to prevent divergences hampering the free movement of personal data within the internal market, a regulation is necessary to provide legal certainty and transparency for economic operators, to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for data controllers and processors, and to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States.

62      The possibility for a competitor of an undertaking to bring an action before the civil courts on the basis of the prohibition of unfair commercial practices in order to put an end to an infringement of the substantive provisions of the GDPR, allegedly committed by that undertaking, not only does not undermine those objectives but it is, in fact, such as to enhance the effectiveness of those provisions and thus the high level of protection of data subjects with regard to the processing of their personal data, pursued by that regulation.

63      In the first place, an application for injunctive relief brought by a competitor against an undertaking on the basis of the prohibition of unfair commercial practices, on account of the alleged infringement of the substantive provisions of the GDPR, in no way undermines the system of remedies provided for in Chapter VIII of that regulation or the objective of ensuring a consistent level of protection for natural persons throughout the European Union and of preventing divergences hampering the free movement of personal data within the internal market.

64      It is true that such an application may be based, albeit incidentally, on an infringement of the same provisions of the GDPR as those on which a complaint or action brought, under Articles 77 to 79 of that regulation, by the data subjects or by a body, organisation or association, within the meaning of Article 80 thereof, may be based.

65      However, first, unlike Articles 77 to 80 of the GDPR, an application for injunctive relief brought by a competitor does not, as such, pursue an objective of protection of the fundamental rights and freedoms of data subjects with regard to the processing of their personal data, but seeks to ensure fair competition, in the interests, inter alia, of that competitor.

66      Second, the possibility for a competitor to bring such an action before the civil courts on the basis of the prohibition of unfair commercial practices is in addition to the remedies established in Articles 77 to 79 of the GDPR, which remain in full and can still be pursued by data subjects and, where appropriate, by bodies, organisations or associations within the meaning of Article 80 of that regulation.

67      In particular, as the German Government pointed out, the coexistence of remedies under data protection law and competition law does not create a risk for the uniform application of the GDPR. In that context, it must be stated that it follows from the wording of Articles 77 to 80 of that regulation that it does not provide for any priority or exclusive competence or jurisdiction or for any rule of precedence in respect of the assessment carried out by the authority or by the courts referred to therein as to whether there is an infringement of the rights conferred by that regulation (see, to that effect, judgment of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság, C‑132/21, EU:C:2023:2, paragraph 35). Therefore, the fact that the application for injunctive relief is brought by a competitor of the person allegedly responsible for an infringement of the laws protecting personal data before the civil courts does not undermine the system of remedies laid down in Chapter VIII of the GDPR. Moreover, as that government observed, the uniform interpretation of the substantive provisions of that regulation, which may be applied to the same infringement by the supervisory authority and the courts seised under Articles 77 to 80 of that regulation, on the one hand, and by the courts seised by such a competitor on the basis of the prohibition of unfair commercial practices, on the other, is ensured by the preliminary ruling procedure provided for in Article 267 TFEU.

68      Third, as the Advocate General observed, in essence, in point 104 of his Opinion, the fact that the substantive provisions of the GDPR made be relied on more widely, by persons other than just data subjects and bodies, organisations and associations, within the meaning of Article 80 of that regulation, does not undermine the attainment of the objective of ensuring a consistent level of protection of those persons throughout the European Union and of preventing divergences hampering the free movement of personal data within the internal market. Even if the Member States did not provide for such a possibility, this would not result in a fragmentation of the implementation of data protection in the European Union, since the substantive provisions of the GDPR are binding in the same way on all controllers within the meaning of Article 4(7) of that regulation, and compliance with those provisions is ensured by the remedies provided for in that regulation.

69      In the second place, as regards the objective of ensuring effective protection of data subjects with regard to the processing of their personal data and the effectiveness of the substantive provisions of the GDPR, it must be held that, although an application for injunctive relief brought by a competitor of the person allegedly responsible for an infringement of the laws protecting personal data pursues, as noted in paragraph 65 above, not that objective but that of ensuring fair competition, the fact remains that it undoubtedly contributes to compliance with those provisions and, therefore, to strengthening the rights of data subjects and ensuring that they enjoy a high level of protection (see, to that effect, judgment of 28 April 2022, Meta Platforms Ireland, C‑319/20, EU:C:2022:322, paragraph 74).

70      Moreover, such an application for injunctive relief brought by a competitor may prove, like that brought by a consumer protection association, to be particularly effective in ensuring such protection, in so far as it is capable of preventing a large number of infringements of the rights of data subjects by the processing of their personal data (see, to that effect, judgment of 28 April 2022, Meta Platforms Ireland, C‑319/20, EU:C:2022:322, paragraph 75).

71      It follows that the interpretation adopted in paragraph 60 above is consistent with the requirements stemming from Article 16(1) TFEU and Article 8 of the Charter and, thus, with the objective pursued by the GDPR consisting in ensuring effective protection of the fundamental rights and freedoms of natural persons and, in particular, ensuring a high level of protection of the right of every person to the protection of personal data concerning him or her (see, to that effect, judgment of 28 April 2022, Meta Platforms Ireland, C‑319/20, EU:C:2022:322, paragraph 73).

72      In the present case, it is for the referring court to ascertain whether the alleged infringement of the substantive provisions of the GDPR at issue in the main proceedings, in so far as it is established, also constitutes an infringement of the prohibition of unfair commercial practices laid down in the relevant national legislation.

73      In the light of the foregoing considerations, the answer to the first question is that the provisions of Chapter VIII of the GDPR must be interpreted as not precluding national legislation which, alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing that regulation and the remedies available to data subjects, confers on competitors of the person allegedly responsible for an infringement of the laws protecting personal data standing to bring proceedings against that person, by means of an action before the civil courts, for infringements of that regulation and on the basis of the prohibition of unfair commercial practices.

 The second question

74      By its second question, the referring court asks, in essence, whether Article 8(1) of Directive 95/46 and Article 9(1) of the GDPR must be interpreted as meaning that, in a situation where the operator of a pharmacy markets pharmacy-only medicinal products on an online platform, the information which the customers of that operator enter when ordering the medicinal products online, such as their name, the delivery address and the details required for individualising the medicinal products, constitutes data concerning health, within the meaning of those provisions, even where the sale of those medicinal products does not require a prescription.

75      Article 8(1) of Directive 95/46 and Article 9(1) of the GDPR, the purport of which is similar for the purposes of the interpretation that the Court is required to give (judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C‑184/20, EU:C:2022:601, paragraphs 58 and 117) and which relate, as the title of those articles indicates, to the processing of ‘special categories’ of personal data, lay down the principle that such processing is prohibited. As expressly stated in recital 51 of that regulation, personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.

76      Those special categories of personal data, listed in Article 8(1) of Directive 95/46 and Article 9(1) of the GDPR, include data concerning health. Those data cover, in accordance with Article 4(15) of that regulation, read in conjunction with recital 35 of that regulation, all personal data which reveal information relating to the past, present or future health status of a natural person, including data relating to the provision of healthcare services to that person.

77      In addition, it is apparent inter alia from Article 4(1) of the GDPR that the concept of ‘personal data’ means any information relating to an identified or identifiable natural person and that in order to be classified as an ‘identifiable’ person, it is sufficient that the person in question can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

78      Thus, where the data on purchases of medicinal products allow conclusions to be drawn as to the health status of an identified or identifiable person, they must be regarded as data concerning health within the meaning of Article 4(15) of the GDPR.

79      In the present case, it is apparent from the documents before the Court that ND’s customers, when ordering pharmacy-only medicinal products online on Amazon, enter information such as their name, the delivery address and details for the individualisation of the medicinal products. That information undoubtedly constitutes ‘personal data’ given that it relates to identified or identifiable natural persons.

80      In those circumstances, it is necessary to determine whether such data are capable of revealing information about the health status of those persons, within the meaning of Article 4(15) of the GDPR, and, consequently, constitute data concerning health within the meaning of Article 8(1) of Directive 95/46 and Article 9(1) of that regulation.

81      In that regard, the Court has already held that, having regard to the objective of Directive 95/46 and the GDPR, which is to ensure a high level of protection of the fundamental rights and freedoms of natural persons, in particular of their private life, with respect to the processing of personal data concerning them, the concept of ‘data concerning health’ referred to in Article 9(1) of that regulation and Article 8(1) of that directive, must be interpreted broadly (see, to that effect, judgments of 6 November 2003, Lindqvist, C‑101/01, EU:C:2003:596, paragraph 50, and of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C‑184/20, EU:C:2022:601, paragraph 125).

82      In particular, those provisions cannot be interpreted as meaning that the processing of personal data that are liable indirectly to reveal sensitive information concerning a natural person is excluded from the strengthened protection regime prescribed by those provisions, if the effectiveness of that regime and the protection of the fundamental rights and freedoms of natural persons that it is intended to ensure are not to be compromised (judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C‑184/20, EU:C:2022:601, paragraph 127).

83      Therefore, in order for personal data to be classified as data concerning health, within the meaning of Article 8(1) of Directive 95/46 and Article 9(1) of the GDPR, it is sufficient that they are capable of revealing information about the health status of the data subject by means of an intellectual operation involving collation or deduction (see, to that effect, judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C‑184/20, EU:C:2022:601, paragraph 123).

84      The data which a customer enters on an online platform when ordering pharmacy-only medicinal products are capable of revealing, by means of an intellectual operation involving collation or deduction, information on the health status of the data subject, within the meaning of Article 4(1) of the GDPR, in so far as that order entails establishing a link between a medicinal product, its therapeutic indications or uses, and a natural person identified or identifiable by factors such as that person’s name or the delivery address.

85      The referring court is uncertain, however, as to whether the fact that the sale of the medicinal products ordered does not require a prescription is relevant in so far as, in that case, those medicinal products could be intended not for the customer placing the order but for third parties.

86      In that regard, it must be noted that, for the purposes of applying Article 8(1) of Directive 95/46 and Article 9(1) of the GDPR, it is important to ascertain, where personal data are processed by the operator of a pharmacy in the context of an activity carried out on an online platform, if those data allow information falling within one of the categories referred to in those provisions to be revealed, irrespective of whether that information concerns a user of that platform or any other natural person. If so, then such processing of personal data is prohibited, subject to the derogations provided for in paragraph 2 of those provisions (see, to that effect, judgment of 4 July 2023, Meta Platforms and Others (General terms of use of a social network), C‑252/21, EU:C:2023:537, paragraph 68).

87      That fundamental prohibition is independent of whether or not the information revealed by the processing operation in question is correct and of whether the data controller is acting with the aim of obtaining information that falls within one of the special categories referred to in Article 8(1) of Directive 95/46 and Article 9(1) of the GDPR. In view of the significant risks to the fundamental freedoms and fundamental rights of data subjects arising from any processing of personal data falling within those categories, the objective of those provisions is to prohibit such processing, irrespective of its stated purpose and the accuracy of the information in question (see, to that effect, judgment of 4 July 2023, Meta Platforms and Others (General terms of use of a social network), C‑252/21, EU:C:2023:537, paragraphs 69 and 70).

88      It follows that, where a user of an online platform communicates personal data when ordering pharmacy-only medicinal products the sale of which does not require a prescription, the processing of those data by the operator of a pharmacy which sells those medicinal products on that online platform must be regarded as processing of data concerning health, within the meaning of Article 8(1) of Directive 95/46 and Article 9(1) of the GDPR, given that the processing of those data is capable of revealing information on the health status of a natural person, irrespective of whether that information concerns that user or any other person for whom the user places the order (see, to that effect, judgment of 4 July 2023, Meta Platforms and Others (General terms of use of a social network), C‑252/21, EU:C:2023:537, paragraph 73).

89      An interpretation of those provisions which would result in a distinction being made according to the type of medicinal product concerned and to whether or not the sale of those medicinal products requires a prescription would not be consistent with the objective of ensuring a high level of protection, recalled in paragraph 81 above. Such an interpretation would, moreover, run counter to the purpose of Article 8(1) of Directive 95/46 and Article 9(1) of the GDPR, namely to ensure enhanced protection as regards processing which, because of the particular sensitivity of the data processed, is liable to constitute, as follows from recital 51 of the GDPR, a particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, guaranteed by Articles 7 and 8 of the Charter (judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C‑184/20, EU:C:2022:601, paragraph 126 and the case-law cited).

90      Consequently, the information which customers of an operator of a pharmacy enter when ordering online pharmacy-only medicinal products the sale of which does not require a prescription constitutes data concerning health, within the meaning of Article 8(1) of Directive 95/46 and Article 9(1) of the GDPR, even where it is only with a certain degree of probability, and not with absolute certainty, that those medicinal products are intended for those customers.

91      Moreover, it is not inconceivable that, even if such medicinal products are intended for persons other than the customers, it may be possible to identify those persons and draw conclusions about their health status. That could be the case, for example, where the medicinal products in question are delivered not to the home of the customer who ordered them but to the home of another person, or where, irrespective of the delivery address, the customer referred, in the order or in any communication relating to the order, to another identifiable person, such as a family member. Similarly, where the customers must identify themselves and/or register to place the order, for example by creating a customer account or joining a loyalty program, it is conceivable that the information entered by the customers in that context may be used to draw conclusions not only about their own health status, but also about the health status of another person, in particular when combined with the information relating to the medicinal products ordered.

92      Lastly, as has been pointed out in paragraph 86 above, the fact that information such as that at issue in the main proceedings constitutes data concerning health, within the meaning of Article 8(1) of Directive 95/46 and Article 9(1) of the GDPR, does not preclude it from being processed, as is apparent in particular from recital 53 of the GDPR, in particular in the context of the management of healthcare services and systems, if one of the conditions set out in paragraph 2 of those provisions is met.

93      This may in particular be the case, first, where, in accordance with point (a) of that paragraph 2, and subject to the exception provided for therein, the data subject gives explicit consent to one or more processing operations involving those personal data, the specific characteristics and purposes of which have been presented to him or her in an accurate, comprehensive and easily understandable manner. Second, such processing may be permissible under Article 9(2)(h) of the GDPR where processing is necessary for the purposes of the provision of healthcare on the basis of EU or Member State law or pursuant to a contract with a health professional.

94      In the light of the foregoing, the answer to the second question is that Article 8(1) of Directive 95/46 and Article 9(1) of the GDPR must be interpreted as meaning that, in a situation where the operator of a pharmacy markets pharmacy-only medicinal on an online platform, the information which the customers of that operator enter when ordering the medicinal products online, such as their name, the delivery address and the details required for individualising the medicinal products, constitutes data concerning health, within the meaning of those provisions, even where the sale of those medicinal products does not require a prescription.

 Costs

95      Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (Grand Chamber) hereby rules:

1.      The provisions of Chapter VIII of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as not precluding national legislation which, alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing that regulation and the remedies available to data subjects, confers on competitors of the person allegedly responsible for an infringement of the laws protecting personal data standing to bring proceedings against that person, by means of an action before the civil courts, for infringements of that regulation and on the basis of the prohibition of unfair commercial practices.

2.      Article 8(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and Article 9(1) of Regulation 2016/679,

must be interpreted as meaning that, in a situation where the operator of a pharmacy markets pharmacy-only medicinal products on an online platform, the information which the customers of that operator enter when ordering the medicinal products online, such as their name, the delivery address and the details required for individualising the medicinal products, constitutes data concerning health, within the meaning of those provisions, even where the sale of those medicinal products does not require a prescription.

[Signatures]

*      Language of the case: German.