May a webshop continue to send emails about my medical purchase?

A medical device purchase is often a private matter. Therefore, receiving follow-up emails that reveal the nature of your purchase may feel like an invasion of your privacy. The Data Protection Authority (DPA) issued on 26 September 2025 (no. 152/2025) an important warning to an organization that sent such emails: processing data about medical purchases is not permitted without justification, and customers must always have the option to effectively object to this.

The facts: automatic follow-up emails after medical device purchase

A person regularly purchased a specific medical device through the online store of an interest group for patients with a certain condition. After each order, this person received an automated "aftercare email" asking them to evaluate the product they had purchased, explicitly mentioning the product.

When the customer indicated that they no longer wanted to receive these emails, the web shop replied that this was technically impossible. The emails were inseparable from the purchase process and could not be stopped for individual customers. The customer felt his privacy was violated and went to the Data Protection Authority.

The decision of the DPA

In its decision of September 26, 2025, the GBA Litigation Chamber issued a double warning to the organization in question.

First, the DPA argues that the purchase data should probably be considered "health data" in this particular context. After all, the purchase was made from an interest group for a specific disease, so the customer's health status could be inferred from the order. The processing of such sensitive data is subject to the strict rules of Article 9 of the General Data Protection Regulation (GDPR). The webshop therefore not only needed a valid reason (such as the execution of the sales agreement), but also a specific exception to the fundamental prohibition on processing health data.

Second, the DPA ruled that the customer's right to object was violated. The webshop based sending the follow-up emails on its "legitimate interest" to check the quality of its products. According to Article 21 of the GDPR, a person must be able to effectively object to processing based on this ground at any time. Because the organization claimed that the emails could not be stopped for technical reasons, the customer was deprived of this right.

Fortunately, even before the ruling, the defendant had already taken steps to adjust the practice by deactivating the automated emails and removing the product names from the communications.

Legal analysis and interpretation

This decision highlights two crucial principles within the GDPR.

1. The broad interpretation of health data: The DPA implicitly refers to recent European case law (such as the Lindenapotheke ruling) which interprets the term "health data" broadly. It is not just a medical record at a doctor's office. It also includes information from which a person's state of health can be inferred. The purchase of a specific device from a specialized organization is a textbook example. This means that organizations must be extremely careful when processing order data that may reveal sensitive information. The mere "legitimate interest" is often insufficient as a legal basis and explicit consent or another exception from Article 9.2 GDPR must be considered.
2. The right to object is absolute and must be technically possible: A controller cannot hide behind technical restrictions to ignore the rights of data subjects. The principle of ‘‘data protection by design’ requires that systems and processes be designed in such a way that they comply with data protection legislation. If an organization processes personal data based on its legitimate interest, it must take the technical and organizational measures to make an "opt-out" or objection simple and effective. The claim "the system doesn't allow it" is not a legally valid defense.

What this specifically means

• For consumers: Please be aware that your purchase history may contain sensitive information. If you receive unwanted communications based on your purchases, you have the right to object. An organization is obliged to respect this objection and stop processing for that purpose (e.g., marketing, quality control).
• For web shops and organizations: Analyze the data you process. Could purchase data reveal information about someone's health, religious beliefs or other sensitive topics? If so, you fall under the strict regime of Article 9 GDPR. Make sure your systems (e.g., email marketing, CRM) are flexible enough to immediately honor customers' rights, such as the right to object. A standard "unsubscribe" link is often not sufficient when it comes to different types of communications.

FAQ (frequently asked questions)

What exactly is "data about health" according to the GDPR?
This is a broad term. It includes all personal data related to a person's physical or mental health, including data from which information about their health status can be derived. Think of a doctor's prescription, but therefore also the purchase of a specific medical product from a specialized supplier.

How can I object to unsolicited emails?
You can contact the organization directly and explicitly state that you oppose the processing of your data for that specific purpose (e.g. marketing, surveys), based on Article 21 GDPR. The organization must inform you of the steps they have taken. If they do not respond or refuse unjustifiably, you can file a complaint with the Data Protection Authority.

Conclusion

This DPA ruling is a clear reminder that data subject rights under the GDPR, and in particular the right to object, must be taken seriously. Organizations cannot hide behind technical limitations to circumvent the GDPR. Especially when it comes to processing sensitive health data, the highest caution is required.