Competitors may issue warnings for violations of the GDPR

Since the GDPR came into force in 2018, there has been debate in Germany as to whether competitors and consumer associations can issue warnings for violations of the GDPR. Now, the Federal Court of Justice (BGH) has finally clarified this issue.

The BGH (judgment of March 27, 2025, I ZR 186/17, I ZR 222/19, and ZR 223/19) has ruled that both consumer protection associations (such as consumer centers) and competitors can issue warnings for violations of the GDPR. This increases the risk for companies that (consciously or unconsciously) do not comply with data protection regulations.

Consumer center against Facebook

In one case, the The Federation of German Consumer Organisations (vzbv) sued Meta Platform Ireland Limited, which operates the social network Facebook. The case concerned Facebook’s failure to adequately inform its users about the scope and purpose of the collection and use of their personal data.

After the ECJ had already ruled that consumer protection associations can also pursue GDPR violations by means of injunctions, the BGH has now followed this assessment.

The BGH press release states:

“Art. 80 (2) GDPR provides a suitable basis for associations to pursue violations of the General Data Protection Regulation under the Law Against Unfair Competition and the Injunction Act.

The aforementioned consumer associations are therefore authorized under Section 8 (3) No. 3 UWG and Section 3 (1) Sentence 1 No. 1 UKlaG to take action against violations of information obligations pursuant to Art. 12 (1) Sentence 1 GDPR in conjunction with Art. 13(1)(c) and (e) GDPR for violations of the Unfair Competition Act and a consumer protection law within the meaning of Section 2(1) and (2) sentence 1 No. 13 UKlaG, as well as the use of an invalid general term and condition pursuant to Section 1 UKlaG by way of an action before the civil courts.

In this respect, it is irrelevant that the plaintiff brought his action independently of the specific violation of data protection rights of a data subject and without a mandate from such a person. Since an institution within the meaning of Art. 80 (2) GDPR cannot be required to identify in advance the individual person who is specifically affected by the processing of data that is presumed to violate the provisions of the General Data Protection Regulation, the designation of a category or group of identifiable natural persons is sufficient for the filing of such a class action.

It is also sufficient for the entity to invoke that the violation of the rights of that person occurs in connection with the processing of personal data and is based on a breach of the obligation incumbent on the controller pursuant to Art. 12(1) sentence 1 and Art. 13(1)(c) and (e) of the GDPR, because in the case in dispute it cannot be assumed that the plaintiff is asserting purely hypothetical violations with his action.”

If the information is not communicated to the user in accordance with Art. 13 GDPR, this constitutes a violation of § 5a (1) UWG, as essential information is withheld.

Shipment of medicinal products via Amazon

In the two other proceedings, competing pharmacies disputed the admissibility of distributing medicinal products via the Amazon platform.

On the one hand, this concerned the question of whether competitors can issue warnings to each other for GDPR violations. The other issue was whether the data entered by a customer when ordering medicines from Amazon constitutes health data within the meaning of Art. 9 GDPR.

The BGH answered both questions in the affirmative in its ruling. From the press release:

“The processing and use of data entered by customers of the defendant when ordering a medicine online via a pharmacist’s account on the Amazon Marketplace, such as the customer’s name, delivery address, and information necessary for the individualization of the ordered medicine, violates Art. 9 (1) GDPR if, as in the case in dispute, it is carried out without the express consent of the customers. The order data constitutes health data within the meaning of this provision, even if the medicine does not require a doctor’s prescription.

Article 9(1) GDPR is a market conduct regulation within the meaning of Section 3a UWG, so that a violation of this provision can be prosecuted by a competitor pursuant to Section 8(3)(1) UWG by way of a competition law action before the civil courts. The provisions on the requirement of consent to the processing of personal data serve to protect the personal rights interests of consumers, particularly in connection with their participation in the market. Consumers should be free to decide whether and to what extent they disclose their data in order to participate in the market and conclude contracts.“

In these proceedings, too, the Federal Court of Justice had previously referred the matter to the ECJ.

Conclusion

So far, only the press release of the Federal Court of Justice is available; the full text of the decisions with detailed reasoning is expected to be published in the next few days.

However, it can already be said that the issue of data protection is becoming even more important. The risk of being held liable for violations of the GDPR is increasing as a result of these decisions by the Federal Court of Justice.

And there is a danger that the risk will increase even further.

The Advocate General at the ECJ (C-655/23) expressed the view that data subjects are also entitled to injunctive relief against a company if it has violated the GDPR.

We are happy to assist you with any questions you may have regarding data protection and data security.