Administrative Court: Online pharmacy may not process the date of birth and form of address for each product in the ordering process

In its ruling of 09.11.2021 (Case 10 A 502/19, German), the Administrative Court of Hanover has made an interesting decision on the lawfulness of requesting data in an online ordering process. In addition, the court addresses the practice-relevant question of how the characteristic "necessary for the performance of a contract" is to be understood according to Art. 6 (1) lit. b GDPR.

Facts

The data protection authority of Lower Saxony took action based on a complaint. The authority found that the company (and later plaintiff against the authority's decision) displayed an order form on its website as part of the ordering process, when the customer opts for the option "Order without registration" and then selects the field "Continue without customer account", which asks for, among other things, the form of address (with the selection options "Ms." or "Mr.") and the date of birth as mandatory information (marked with an *).

The plaintiff informed the supervisory authority that, in its opinion, the collection of the salutation and date of birth of the customers was mandatory for the fulfillment of the contract with the customers as well as due to legal requirements. The collection and processing of the date of birth served, among other things, to find out whether the contractual partner had limited or full legal capacity, because in the case of limited legal capacity, the customer's legal guardians would have to approve the contract.

The supervisory authority disagreed. It was not necessary to collect the date of birth in every case. For example, the corresponding request should not be made if it is not necessary for age-appropriate dosing or to take into account the manufacturer's age recommendations. The blanket collection of the form of address, irrespective of whether the ordered medication has a gender-specific scope of application in the individual case, also violates the data protection principles of lawfulness and data minimisation.

By decision of 08.01.2019, the supervisory authority instructed the plaintiff to refrain from collecting and from processing the date of birth of the customer on the website in the ordering process, irrespective of the type of medication ordered. In addition, the authority ordered the plaintiff to refrain from using the form of address, which was collected on the website in the ordering process, for the fulfillment of the contract if and to the extent that the subject of the order is medication that is not to be dosed and/or taken in a gender-specific manner.

Court decision

The company took legal action against the decision.

The court did not make any further ruling on the use of the form of address. In the meantime, the plaintiff has added the selection option "without specification" to its order form with regard to the salutation "Mr./Mrs." and supplemented its privacy policy to the effect that the request of this date was made for the purpose of a friendly and customer-appropriate address and communication and on the basis of Art. 6 (1) lit. f GDPR.

In the opinion of the court, the collection and processing of the date of birth, regardless of which product is ordered, violates the principle of lawfulness standardized in Art. 5 (1) lit. a GDPR.

The collection and processing of the date of birth in the ordering process on the homepage - even for those products that are to be dosed regardless of age - cannot be based on any of the legal bases mentioned in Art. 6 GDPR.

Legal basis Art. 6 (1) lit. b GDPR (contract)

The court assumes that the request for the date of birth cannot be based on Art. 6 (1) lit. b GDPR.

At the outset, the court makes some important points about the understanding of the norm:

"The wording "for the performance of a contract" must not be understood too narrowly in the technical legal sense. In addition to "performance" in the narrower sense, the preparation and initiation of the contract, its execution and also its settlement, in particular for the fulfillment of warranty obligations or secondary performance obligations, are covered."

The court points out that the GDPR does not explicitly define the concept of necessity. However, recital 39 provides a clue, stating that "Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means."

The use of the term "reasonably" allows the conclusion that in principle no excessively strict standards may be applied for the determination of necessity.

However, despite this interpretation, the court here sees no way to justify the processing. The collection and processing of the exact date of birth, which is composed of day, month and year, is not necessary for the performance of the contract for products to be dosed regardless of age.

This aspect is important. The court criticizes the requirement to specify the day, month and year. So all three dates.

In order to fulfill this contract, the company is obliged to hand over the product to the purchaser and provide ownership of it, while the purchaser is obliged to pay for the ordered product.

"For this purpose, the request of the date of birth is not required in principle".

The court also does not accept the plaintiff's argument that it must request the date of birth in order to check the customer's legal capacity. The risk of a reversal in the case of pending invalid contracts can be equally countered with the simple request of the age of majority.

Legal basis Art. 6 (1) lit. f GDPR (balancing of interests)

Finally, according to the court, the request of the date of birth for age-independent products to be dosed cannot be based on Art. 6 (1) lit. f GDPR.

There was already a lack of necessity for the collection of data for this purpose. In this regard, the company must accept the less intrusive and equally efficient means of simply querying the age of majority.