- The Lüneburg Higher Administrative Court ruled that the collection of the date of birth is inadmissible.
- The decision emphasizes the importance of data minimization in accordance with GDPR Art. 5 para. 1 lit. c.
- Only the address and telephone number are required for identification.
- Court referred to milder methods for determining legal capacity.
- ruling calls on companies to continuously review their data processing procedures.
- Responsible action strengthens customers' trust in data protection.
- Regular review of login processes is recommended for SaaS and online stores.
Insight into the case
With its ruling (decision 14 LA 1/24), the Lüneburg Higher Administrative Court has made a landmark decision in the area of data protection. This case focused on an online pharmacy that required customers to provide their date of birth in the ordering process. This approach attracted the attention of the data protection authority, which classified the practice as incompatible with the applicable data protection regulations. This view was supported by both the Hanover Administrative Court and the Lüneburg Higher Administrative Court. The decision highlights the increasingly relevant issue of data minimization and data economy in the digital economy and underlines the importance of compliance with the General Data Protection Regulation (GDPR) in all aspects of online commerce.
Legal assessment
In its decision, the court emphasized that the collection of the date of birth by the online pharmacy constitutes a clear violation of the principle of data minimization as set out in Art. 5 para. 1 lit. c GDPR is specified. It was made clear that it is perfectly sufficient to provide an address and telephone number to identify a customer. This landmark decision emphasizes the essential importance of always checking exactly what information is actually necessary to fulfill the purpose of the data processing when collecting personal data. The court emphasized that the date of birth is not necessary for the purposes stated by the pharmacy – in particular the clear identification of the customer and the fulfillment of the obligation to provide advice and information. The court also pointed out that there are milder means of determining the legal capacity of customers, for example by simply asking whether they are of legal age. This interpretation shows that data protection is not only a question of compliance with legal requirements, but also a question of proportionality and the careful balancing of the company’s interest in data collection and the protection of customers’ privacy.
Significance for practice
This ruling by the OVG Lüneburg impressively underlines the need for companies to continuously review their data processing processes and consistently adapt them to the legal requirements, particularly in the area of data protection. It illustrates that comprehensive legal considerations are essential even for seemingly simple procedures such as a registration process. This decision serves as an important reminder that in the digital age, data protection plays a central role in every customer interaction and should always be a priority.
Companies are required not only to minimize legal risks, but also to strengthen their customers’ trust in the responsible handling of their data. At a time when data breaches are regularly making headlines, it is all the more important that companies take data protection seriously and see it as an integral part of their business practices.
In addition, it is advisable for companies, especially those that operate Software-as-a-Service (SaaS) solutions or online stores, to regularly review their login procedures from a data protection perspective. This includes not only compliance with legal requirements, but also ongoing evaluation and adaptation of processes to ensure the protection and security of user data. Such a proactive approach not only helps to avoid legal pitfalls, but also strengthens the trust of customers and users in the integrity of the company.
