The interpretation of Personal data concerning health – key takeaways from recent decisions

In recent rulings, both the Court of Justice of the European Union, or the European Court of Justice (“ECJ”), and the Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten, “IMY”) have provided clarifications regarding the definition and interpretation of the use of sensitive personal data (i.e. “special categories of personal data”), specifically where such data concerns a data subject’s health. This brief article intends to provide a short background on the recent rulings, as well as some key takeaways for those processing sensitive personal data, for example, concerning health.

The legal framework
To start from the beginning, the General Data Protection Regulation (“GDPR”) classifies personal data (defined in Article 4.1 as “any information relating to an identified or identifiable natural person”) by way of identifying a specific category in Article 9 – special categories of personal data – where the personal data included is considered subject to an even higher level of protection. The special categories, exhaustively enumerated in the article, include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health and data concerning a natural person´s sex life or sexual orientation. Such personal data are more commonly referred to as sensitive personal data, and so we will use that definition throughout this article. As a main rule, the processing of sensitive personal data is prohibited unless, for example, the data subjects have provided explicit consent.

In relation to sensitive personal data and, more specifically, personal data concerning health, Recital 35 of GDPR clarifies that “Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental status of the data subject.”

Possibility of drawing conclusions on health when purchasing products from an online pharmacy
In connection with the processing of personal data regarding health when operating a pharmacy online, in Lindenapotheke, C-21/23, of 4 October 2024 (the “Lindenapotheke” case), the operator provided an online platform where both prescription and non-prescription medicinal products were sold. The claimant, a competitor of the pharmacy’s operator, claimed that the processing of personal data is unlawful, since there is no guarantee that customers will be able to give their prior consent to the processing of personal data concerning health.

The referring court in Germany asked, amongst other questions, whether the fact that customers of a pharmacy operator, who markets both prescription and non-prescription medicinal products online, had to enter personal data e.g. name, delivery address and additional information in order to individualise the medicinal products, should be considered to involve processing of sensitive personal data concerning health. The ECJ clarifies that sensitive personal data shall be given a broad interpretation and that it is therefore sufficient that they are capable of revealing information about the health status of the data subject, for example, by deduction. As a general rule, to the extent that the processing establishes a link between a medicinal product, its therapeutic indications or uses and a natural person identified or identifiable by factors such as that person´s name or the delivery address, the processing should be considered as concerning health. The ECJ further clarifies that this applies irrespective of whether the personal data relate to the user of the online platform, or someone else, such as a family member or anyone registered at the delivery address. In conclusion, such processing should be considered as processing of sensitive personal data and is unlawful unless the data subject has provided their explicit consent, or the processing is necessary for the purposes of provision of healthcare pursuant to applicable law.

Review of Apoteket AB’s processing of personal data and the classification as sensitive personal data
Prior to the ECJ ruling presented above, IMY published its decision regarding Apoteket AB’s (“Apoteket”) processing of personal data through use of Meta Platforms Ireland Limited’s (“Meta”) analytical tool, referred to as the “Meta-pixel”, on 29 August 2024. In this case, Apoteket had reported a personal data breach to IMY stating that its use of the Meta-pixel on its website www.apoteket.se had allowed the transfer of personal data concerning their customers to Meta. Apoteket used the Meta-pixel for marketing purposes and had done so since 2017, primarily in order to measure the effect of Apoteket’s marketing via Meta´s social platforms, such as Instagram and Facebook. In 2020, additional features were activated by individual employees without any prior risk assessments being performed. Apoteket noticed this use in 2022, inactivated the tool immediately and filed a data breach-report with IMY.

According to Apoteket, personal data such as names, e-mail address, personal identification number and gender were subject to transfer to Meta. Where a customer had enabled marketing cookies and made a purchase, several product categories were also transferred, including products for treatment of allergies, psoriasis, rosacea, stomach and prostate issues and pregnancy tests. However, Apoteket had taken the decision not to implement the Meta-pixel where it is possible for the customer to purchase prescription medicinal products. The data subjects concerned were estimated to total at most 930,000.

Apoteket argued that it is categorically not possible to state that sensitive personal data have been transferred to Meta, and that out of its various products only a select few would actually be linked to information on a data subject’s health, and only if such product is directly linked to a data subject. However, IMY relied on previous rulings from the ECJ – which have now been further validated by the Lindenapotheke case – and clarified again that data concerning health should be given a broad interpretation.

Worth noticing is that, where Apoteket argues that it is uncertain whether the products purchased actually pertain to the individual placing the order, IMY briefly concludes that such connection cannot be excluded. As seen in the Lindenapotheke ruling, it has now been clarified that whether or not the personal data pertain to the individual placing the order or someone else is not on its own a decisive factor. In its decision, IMY states that Apoteket´s security measures, as required by GDPR, were insufficient and imposes an administrative fine of SEK 37,000,000 (with due consideration of the fact that the maximum fine in relation to Apoteket´s total annual turnover was SEK 465,400,000).

Key takeaways in the light of Lindenapotheke and Apoteket
These recent rulings highlight the need for awareness and a thorough risk-assessment for parties processing personal data as a part of their business. While GDPR stipulates that all processing of personal data should be preceded by a thorough review, for example, of its intended purpose, scope, duration, security and legality, extra care is essential when processing sensitive personal data. Even though many of the requirements of GDPR are similar for non-sensitive and sensitive personal data, extra caution is often required for sensitive data, in addition to the prerequisites of consent and applicable safety measures.

While many actors operating in the life sciences field of may process extensive personal data, for example,  during development, research, studies and tests, we recommend that extra attention is paid to the broad interpretation established by the ECJ and, in particular, that (i) a combination of personal data may disclose personal data concerning health, (ii) GDPR includes both past, present and future physical or mental health within its scope, and (iii) a link between different factors (in this case non-prescription medicinal products and a natural person) is enough to consider that personal data concerning health is disclosed, and that this applies irrespective of whether the personal data relate to a user or someone else. In short, sensitive personal data may involve a lot more than considered at first glance.