Opinion of Advocate General Szpunar delivered on 25 April 2024.

• Jurisdiction: European Union
• Court: Court of Justice (European Union)
• ECLI: ECLI:EU:C:2024:354
• Date: 25 April 2024

Provisional text

OPINION OF ADVOCATE GENERAL

SZPUNAR

delivered on 25 April 2024 (1)

Case C‑21/23

ND

v

DR

(request for a preliminary ruling from the Bundesgerichtshof (Federal Court of Justice, Germany))

(Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Remedies – Delimitation of remedies – Processing of special categories of personal data – Concept of ‘data concerning health’)

I. Introduction

1. The present case concerns the interpretation of a number of provisions of Regulation (EU) 2016/679 (2) (‘the GDPR’) in relation to, first, the system of remedies established by that regulation and, second, the category of particularly sensitive data consisting of ‘data concerning health’.

2. The request for a preliminary ruling was made in the context of an action for an injunction, based on the prohibition, in national law, of acts of unfair competition, and brought by an undertaking with a view to putting an end to the online marketing of non-prescription medicines by one of its competitors. The alleged act of unfair competition consists, according to that undertaking, of failure to comply with the requirements arising from the GDPR with regard to the processing of ‘data concerning health’.

3. I shall begin my analysis by examining the second question referred for a preliminary ruling, which will enable the Court to define the outlines of the concept of ‘data concerning health’ that determine whether an enhanced protection regime is applicable.

4. In the event that the data at issue in the present case could not be classified as ‘data concerning health’, within the meaning of Article 9(1) of the GDPR, it would follow that the alleged act of unfair competition would not be made out. There would then be no need to answer the first question, which concerns whether the system of remedies established by the GDPR permits the existence, in national law, of an action based on an infringement of the rules relating to the prohibition of acts of unfair competition whereby the applicant relies on an infringement of the substantive provisions of the GDPR.

II. Legal framework

A. European Union law

1. Directive 95/46/EC

5. Directive 95/46/EC (3) provides, in Article 8(1):

‘Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.’

2. The GDPR

6. Recitals 9, 10, 13, 35, 51 and 142 of the GDPR are worded as follows:

‘(9) The objectives and principles of [Directive 95/46] remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. Such a difference in levels of protection is due to the existence of differences in the implementation and application of [Directive 95/46].

(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. …

…

(13) In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. …

…

(35) Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in [Directive 2011/24/EU (4)] to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

…

(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. … Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

…

(142) Where a data subject considers that his or her rights under this Regulation are infringed, he or she should have the right to mandate a not-for-profit body, organisation or association which is constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest and is active in the field of the protection of personal data to lodge a complaint on his or her behalf with a supervisory authority, exercise the right to a judicial remedy on behalf of data subjects or, if provided for in Member State law, exercise the right to receive compensation on behalf of data subjects. A Member State may provide for such a body, organisation or association to have the right to lodge a complaint in that Member State, independently of a data subject’s mandate, and the right to an effective judicial remedy where it has reasons to consider that the rights of a data subject have been infringed as a result of the processing of personal data which infringes this Regulation. That body, organisation or association may not be allowed to claim compensation on a data subject’s behalf independently of the data subject’s mandate.’

7. Article 1 of that regulation, entitled ‘[Subject matter] and objectives’, provides:

‘1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.’

8. Article 4 of that regulation provides:

‘For the purposes of this Regulation:

(1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

…

(15) “data concerning health” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

…’

9. In the words of Article 9 of that regulation, entitled ‘Processing of special categories of personal data’:

‘1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or...