This blog post was written by our GDPR expert, Sebastian Bayer.
Summary of the Expert’s Article:
In short, this article says that if your online shop sells products targeted at human health, the GDPR is prohibited from marketing to customers based on previous purchases. For example, if a customer has bought a cream for foot fungus, you may not subsequently advertise to the customer that they can buy other products that also help against foot fungus. This is because, according to the GDPR, you may not use information about the person's health for marketing.
Following the adoption of the GDPR, there are new rules that you, as a business, must be aware of. This means that there is a greater focus on the correct processing of personal data, whether these are given to you directly or indirectly. Online shops have been particularly hard hit by this, as they usually collect a large amount of personal information in order to meet their obligations and to have a broad product portfolio. This allows the possibility that a product sold by an online shop will give a deeper insight into customers' privacy.
If you have an online shop selling natural medicine, personal care products, dietary supplements and similar products that relate to people’s health, you are at risk that the personal information you receive will no longer be regarded as general personal information, but rather as personally sensitive information. And if you receive sensitive information, there are higher requirements for your processing of these personal data.
This is because information about the sale of the above products can lead you to draw conclusions about the customer's state of health. Information about a person's health is defined in the personal data regulation as sensitive. This is due to the use of profiling in which the online shop uses previous purchases to "guess" what other products the customer is interested in.
This article helps you understand how such a situation occurs and what you, as a business, should do to avoid fines or bad reviews because your online shop pushed the limits of the personal data regulation.