With its ruling (decision 14 LA 1/24), the Lüneburg Higher Administrative Court has made a landmark decision in the area of data protection. This case focused on an online pharmacy that required customers to provide their date of birth in the ordering process. This approach attracted the attention of the data protection authority, which classified the practice as incompatible with the applicable data protection regulations. This view was supported by both the Hanover Administrative Court and the Lüneburg Higher Administrative Court. The decision highlights the increasingly relevant issue of data minimization and data economy in the digital economy and underlines the importance of compliance with the General Data Protection Regulation (GDPR) in all aspects of online commerce.
In its decision, the court emphasized that the collection of the date of birth by the online pharmacy constitutes a clear violation of the principle of data minimization as set out in Art. 5 para. 1 lit. c GDPR is specified. It was made clear that it is perfectly sufficient to provide an address and telephone number to identify a customer. This landmark decision emphasizes the essential importance of always checking exactly what information is actually necessary to fulfill the purpose of the data processing when collecting personal data. The court emphasized that the date of birth is not necessary for the purposes stated by the pharmacy – in particular the clear identification of the customer and the fulfillment of the obligation to provide advice and information. The court also pointed out that there are milder means of determining the legal capacity of customers, for example by simply asking whether they are of legal age. This interpretation shows that data protection is not only a question of compliance with legal requirements, but also a question of proportionality and the careful balancing of the company’s interest in data collection and the protection of customers’ privacy.
This ruling by the OVG Lüneburg impressively underlines the need for companies to continuously review their data processing processes and consistently adapt them to the legal requirements, particularly in the area of data protection. It illustrates that comprehensive legal considerations are essential even for seemingly simple procedures such as a registration process. This decision serves as an important reminder that in the digital age, data protection plays a central role in every customer interaction and should always be a priority.
Companies are required not only to minimize legal risks, but also to strengthen their customers’ trust in the responsible handling of their data. At a time when data breaches are regularly making headlines, it is all the more important that companies take data protection seriously and see it as an integral part of their business practices.
In addition, it is advisable for companies, especially those that operate Software-as-a-Service (SaaS) solutions or online stores, to regularly review their login procedures from a data protection perspective. This includes not only compliance with legal requirements, but also ongoing evaluation and adaptation of processes to ensure the protection and security of user data. Such a proactive approach not only helps to avoid legal pitfalls, but also strengthens the trust of customers and users in the integrity of the company.
Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.
Introduction: It has been a while since the German government published its position paper on blockchain strategy. This document, which...
Read moreDetails
I am always contacted by requests, such as how to deal with platforms such as Upwork, Fiverr, Freelancer.com, for example...
Read moreDetails
The Federal Court of Justice has to decide whether, in the way a game is offered there, in the way...
Read moreDetails
In its judgment of July 16, 2020 (Case C311/18), the European Court of Justice declared the European Commission's Decision 2016/1250...
Read moreDetails
In my IT Media Law Podcast, I focus on exciting topics relating to law, technology and digital transformation. So far,...
Read moreDetails
While vany entrepreneurs in the IT and startup-sector are struggling with the daily challengeschallenges of business developmentare preoccupied with thean...
Read moreDetails
The operator of a fan page maintained on Facebook may be required to shut down its fan page if the...
Read moreDetails
The First Civil Senate of the Federal Court of Justice, which is responsible among other things for claims under the...
Read moreDetails
Did Cathy Hummels advertise on her Instagram profile as an influencer? This question was addressed by the Munich Higher Regional...
Read moreDetailsPrivate accounts on ChatGPT & Co. for corporate purposes are a gateway to data protection breaches, leaks of secrets and...
Read moreDetails
In this episode of the Itmedialaw podcast, lawyer and entrepreneur Marian Härtel takes you on a journey through the legal...
Read moreDetails
In this video, I talk a bit about transparent billing and how I communicate what it costs to work with...
Read moreDetails
