With its ruling (decision 14 LA 1/24), the Lüneburg Higher Administrative Court has made a landmark decision in the area of data protection. This case focused on an online pharmacy that required customers to provide their date of birth in the ordering process. This approach attracted the attention of the data protection authority, which classified the practice as incompatible with the applicable data protection regulations. This view was supported by both the Hanover Administrative Court and the Lüneburg Higher Administrative Court. The decision highlights the increasingly relevant issue of data minimization and data economy in the digital economy and underlines the importance of compliance with the General Data Protection Regulation (GDPR) in all aspects of online commerce.
In its decision, the court emphasized that the collection of the date of birth by the online pharmacy constitutes a clear violation of the principle of data minimization as set out in Art. 5 para. 1 lit. c GDPR is specified. It was made clear that it is perfectly sufficient to provide an address and telephone number to identify a customer. This landmark decision emphasizes the essential importance of always checking exactly what information is actually necessary to fulfill the purpose of the data processing when collecting personal data. The court emphasized that the date of birth is not necessary for the purposes stated by the pharmacy – in particular the clear identification of the customer and the fulfillment of the obligation to provide advice and information. The court also pointed out that there are milder means of determining the legal capacity of customers, for example by simply asking whether they are of legal age. This interpretation shows that data protection is not only a question of compliance with legal requirements, but also a question of proportionality and the careful balancing of the company’s interest in data collection and the protection of customers’ privacy.
This ruling by the OVG Lüneburg impressively underlines the need for companies to continuously review their data processing processes and consistently adapt them to the legal requirements, particularly in the area of data protection. It illustrates that comprehensive legal considerations are essential even for seemingly simple procedures such as a registration process. This decision serves as an important reminder that in the digital age, data protection plays a central role in every customer interaction and should always be a priority.
Companies are required not only to minimize legal risks, but also to strengthen their customers’ trust in the responsible handling of their data. At a time when data breaches are regularly making headlines, it is all the more important that companies take data protection seriously and see it as an integral part of their business practices.
In addition, it is advisable for companies, especially those that operate Software-as-a-Service (SaaS) solutions or online stores, to regularly review their login procedures from a data protection perspective. This includes not only compliance with legal requirements, but also ongoing evaluation and adaptation of processes to ensure the protection and security of user data. Such a proactive approach not only helps to avoid legal pitfalls, but also strengthens the trust of customers and users in the integrity of the company.
Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.
In the multifaceted world of artificial intelligence (AI), a wide range of applications has emerged, from face and speech recognition...
Read moreDetails
Update 03/25/2020: The bill shown below has been weakened. - The obligation to file for insolvency will be suspended initially...
Read moreDetails
The Bundeskartellamt's decision against Facebook garnered some criticism, which begins with the question of the Bundeskartellamt's jurisdiction. But also elementary...
Read moreDetails
Case law on the obligation to label advertising is constantly evolving. A recent ruling by the Regional Court of Trier...
Read moreDetails
Regulation of DLT (distributed ledger technology) is a hot topic in the crypto world. Many executives and decision makers are...
Read moreDetails
The Higher Regional Court of Frankfurt am Main recently ruled that in a case where participation in a competition is...
Read moreDetails
The Federal Court of Justice (BGH) currently has to decide whether a breach by the operator of a social network...
Read moreDetails
OLG Hamm: Proof of e-mail access remains a challenge In a recent ruling (case no. 26 W 13/23 dated 10.08.2023),...
Read moreDetails
As you know, I've written a lot here about artificial intelligence (AI), software as a service (SaaS), and contract clauses...
Read moreDetailsThe Distance Learning Protection Act (FernUSG) has been experiencing a renaissance for some time now. What for decades was considered...
Read moreDetails
In this exciting podcast episode, we delve into the fascinating world of IT start-ups and find out why an experienced...
Read moreDetails
In this video, I talk a bit about transparent billing and how I communicate what it costs to work with...
Read moreDetails
