Monthly Update – November 2024
November 2024 was a busy month for privacy and tech regulation. Three developments stand out: a landmark court ruling that lets competitors sue each other over GDPR breaches, a major new cybersecurity law entering into force, and a Belgian DPA decision that should make every business rethink how it handles consent.
The Lindenapotheke Case: your competitor can now take you to court over GDPR
What happened
A German pharmacist took a competitor to court for processing customers' health data without the required explicit consent. The German courts agreed this violated GDPR and that it gave the competitor an unfair business advantage. The Court of Justice of the European Union confirmed that under national unfair competition law, competitors have the right to bring legal action over another company's GDPR violations.
The case also clarified something important about health data: when customers purchase pharmacy-only medicines online, the data they provide (name, address, the product ordered) qualifies as health data under GDPR. That means the stricter rules for special category data apply.
What this means for you
GDPR compliance is no longer just about avoiding fines from regulators. Competitors can now take you to court if they believe you are breaking the rules. If a GDPR breach also gives you a competitive advantage, you could face both regulatory enforcement and civil litigation.
This raises the stakes considerably. Staying on top of your privacy practices is more important than ever, not just to satisfy regulators, but to protect your business from legal action by other market players.
If you sell products or services online and collect data in the process, check whether any of that data could qualify as health data. If it does, you need explicit consent before processing it.
The Cyber Resilience Act: new cybersecurity obligations for digital products
What happened
The Cyber Resilience Act (CRA) entered into force on 10 December 2024. It introduces mandatory cybersecurity requirements for all products with digital elements sold on the EU market. That includes laptops, smartphones, mobile apps, baby monitors, smart watches, video games, and desktop applications.
Products in scope will need to meet specific cybersecurity and vulnerability requirements. The timeline is phased:
From September 2026: mandatory reporting obligations for actively exploited vulnerabilities and serious security incidents apply.
From December 2027: full compliance required. Products that do not meet the CRA requirements cannot be sold in the EU from that date.
What this means for you
If your company builds products with digital elements, now is the time to assess whether the CRA applies to you. While full enforcement is still a few years away, the design and development decisions you make today will determine how straightforward compliance will be in 2027.
The September 2026 reporting deadline is approaching sooner than many businesses realise. Do not wait until 2027 to start preparing. Incorporating these requirements into your current processes will save you significant time and cost down the line.
The Freedelity Case: the ID card turned into a loyalty card
What happened
Freedelity is a Belgian company that allows retailers to collect customer data, mainly by scanning the customer's identity card. The data collected is stored centrally and shared across different retailers in the Freedelity network.
The Belgian Data Protection Authority found that Freedelity's practices violated GDPR on several counts. The consent obtained from customers did not meet GDPR standards. Freedelity was collecting data that was not necessary for the services it provided. And it was storing customer data for eight years, which the Authority considered far too long.
Freedelity appealed the decision. The Market Court upheld the findings on the GDPR violations but set aside the sanctions, ruling that the four-month implementation period imposed by the DPA was unreasonable given that the co-responsible retailers were not part of the proceedings.
What this means for you
The basics of GDPR compliance are exactly what caught Freedelity out: a valid legal basis, data minimisation, and reasonable retention periods. These are the fundamentals, and they are still the most common areas where things go wrong.
If your service or product relies on third parties to collect data on your behalf, make sure you have clear agreements in place and that those third parties are actually implementing them. Ask yourself the key questions: do you have a proper legal basis for every processing activity? Are you collecting only what you genuinely need? Are you deleting data within a reasonable timeframe?
If you work with retailers, partners, or other companies that collect data for you, give them clear guidelines and verify that they are following them.
Want to make sure your business is on the right side of these developments? Book a free introduction call and we will take a look at where you stand.
We take great care in providing information to you, but please be aware of the fact that these blogposts can not be considered a substitute for professional legal advice, nor do they create an attorney-client relationship.