Germany built the largest medical cannabis market in Europe largely on the back of telemedicine. After the country’s 2024 reforms removed cannabis from the narcotics list and allowed prescriptions to flow through online consultations and mail-order pharmacy delivery, a wave of telehealth platforms turned a quick digital questionnaire and a video call into a prescription and a package at the door. The volume was enormous. So was the data.
The amendment to Germany’s medical cannabis framework — the MedCanG — is the regulatory correction. It makes an in-person consultation with a doctor mandatory for a cannabis prescription, requires a fresh in-person consultation for follow-up prescriptions on an annual basis, and prohibits the mail-order shipping that made the telehealth model so frictionless. The stated goal is to curb prescribing that critics saw as too easy. The under-examined consequence is what it does to the mountains of patient data those platforms accumulated and the workflows that generated it.
What the amendment changes
The core provisions reshape the prescribing relationship:
- Mandatory in-person consultation. A patient now needs an in-person consultation with a doctor to obtain a cannabis prescription, replacing the purely remote model that dominated.
- Annual in-person renewal. Follow-up prescriptions require a new in-person consultation at least once a year.
- Shipping prohibition. The mail-order delivery of medical cannabis is prohibited, with pharmacy delivery services excluded from the workflow that previously carried product to the patient’s door.
For a telehealth-first operator, this is not a tweak. It removes the two pillars — remote prescribing and mail delivery — that the business model rested on.
The data problem nobody is naming
Here is what the policy debate is missing. The telemedicine cannabis boom generated some of the most sensitive personal data imaginable: health conditions, symptoms, prescription histories, identity documents, payment information, and delivery addresses, all tied to a substance that still carries social stigma. Under the GDPR, health data is a special category requiring heightened protection. Cannabis prescription data is squarely within it.
The amendment creates three distinct data challenges for platforms that operated under the old rules.
1. Legacy data from a model that no longer exists. Platforms hold large volumes of patient data collected to support remote prescribing and shipping. As those activities become unlawful, the purpose that justified collecting and retaining much of that data evaporates. Under GDPR principles of purpose limitation and storage limitation, data may not be kept indefinitely once the purpose is gone. Operators need a defensible answer to a simple question: why are we still holding this, and for how long?
2. Workflow data flows that have to be rebuilt. Moving from remote to in-person consultations changes who collects what, where, and how it moves between doctor, platform, and pharmacy. Every change to a data flow is a change to the lawful basis, the processing record, and potentially the data protection impact assessment behind it. Platforms cannot simply bolt an in-person step onto a system designed for remote-only and assume their GDPR documentation still holds.
3. The shipping ban orphans logistics data. Delivery addresses, courier records, and fulfillment data were collected to ship product. With shipping prohibited, that data category loses its justification. Retaining it “just in case” is exactly the kind of practice GDPR enforcement targets.
What operators in the German market should do
Re-map every data flow against the new model
Document how patient data will move under in-person consultation and pharmacy pickup, and compare it to the old remote-and-ship flows. Update your records of processing activities and your lawful-basis analysis to match what you actually do now, not what you used to do.
Run a data minimization and deletion pass on legacy records
Identify data collected solely to support remote prescribing and shipping. Where the original purpose no longer applies and no other lawful basis or retention obligation requires keeping it, build a defensible deletion schedule. This is both a compliance requirement and a risk reduction: data you no longer hold cannot be breached.
Reassess your processors
Telehealth cannabis platforms typically rely on a chain of processors — video consultation tools, identity verification, payment processors, logistics partners. As the model changes, some of those relationships end and others change scope. Review your data processing agreements, confirm that decommissioned processors actually delete the data they held, and update agreements for the processors that remain.
Refresh your DPIA
A change of this magnitude to how special-category health data is processed is a textbook trigger for revisiting your data protection impact assessment. If you do not have one for your cannabis operations, the amendment is the moment to build it.
Treat the transition as a breach-risk window
Periods of system change — migrating workflows, decommissioning services, moving data between processors — are when sensitive data is most likely to be exposed through misconfiguration or oversight. Tighten access controls and monitoring during the transition specifically.
The wider lesson for international operators
Germany’s experience is a cautionary tale that travels. Wherever telemedicine drives a cannabis market, it accumulates concentrated, special-category health data at speed — often faster than the platforms build the governance to protect it. When the regulatory model shifts, as it inevitably does in a young industry, operators are left holding sensitive data tied to a purpose that no longer exists, in workflows that no longer match their documentation.
The operators who weather the MedCanG amendment well will be the ones who treated patient data as a regulated liability from the start, not a growth asset to be hoarded. For everyone building telehealth-driven cannabis businesses in other markets, the message is to design for the regulatory correction before it arrives — because in this industry, it always does.
For related international coverage, see our analysis of Switzerland’s cannabis pilots and data protection and the Netherlands cannabis experiment.
This article is provided for informational purposes only and does not constitute legal advice.
