Violations of the GDPR are also competition violations
Since 2018, in Germany the question has been whether competitors can issue each other with warnings if the GDPR is violated. Now the ECJ has ruled: they can. In this article, we explain why we do not expect a new wave of warnings despite this ruling.
The ECJ (judgment of October 4, 2024, C-21/23) had to clarify the question of whether competitors can issue warnings to each other for violations of the GDPR.
Sale of medication via Amazon
At issue was a dispute between two pharmacists. One of them was selling prescription-only medicines via Amazon. The other was of the opinion that this distribution via Amazon was unlawful because customers did not consent to the processing of their health data.
The Regional Court of Dessau-Roßlau (in Germany) agreed and ruled that selling prescription-only medicines via Amazon constituted unfair commercial practices.
Ultimately, the case ended up before the German Federal Court of Justice (“BGH”).
Questions referred by the BGH
The BGH suspended the proceedings and referred two questions to the ECJ for a preliminary ruling:
- Do the provisions of Chapter VIII of the GDPR preclude national provisions which, in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the regulation and the possibilities for legal protection of the data subjects, grant competitors the power to take action against the infringer before the civil courts for violations of the GDPR on the grounds of the prohibition of unfair commercial practices?
- Are the data that customers of a pharmacist who is a seller on an online sales platform enter when ordering medicines that are pharmacy-only but not prescription-only on that platform (customer name, delivery address and information necessary for the individualization of the ordered pharmacy-only medication), health data within the meaning of Art. 9 para. 1 GDPR and data concerning health within the meaning of Art. 8 para. 1 of the Data Protection Directive?
Decision of the ECJ
The ECJ first notes that the wording of the GDPR does not preclude a competitor’s right to injunctive relief.
A violation of the GDPR may not only affect the interests of the data subject, but also those of third parties, such as competitors. Article 82(1) of the GDPR clarifies that “any person who has suffered material or non-material damage as a result of an infringement of this Regulation” has the right to receive compensation.
The Court has also already ruled in previous decisions that a violation of the GDPR may constitute a violation of consumer protection rules or an unfair commercial practice.
“In this context, it should be noted that access to personal data and its use in the digital economy are of considerable importance. Access to personal data and the possibility of processing it have become an important parameter of competition between companies in the digital economy. In order to take account of actual economic developments and to maintain fair competition, it may therefore be necessary to take into account the rules on the protection of personal data when enforcing competition law and the rules on unfair commercial practices.”
In the past, the ECJ had already ruled that consumer protection agencies can issue warnings for violations of the GDPR.
The ECJ sees the possibility for competitors to take action against GDPR violations as a way to strengthen the practical effectiveness of the GDPR. It also believes that this could improve the desired high level of protection of the data subjects with regard to the processing of their personal data.
No restriction of other legal remedies in the GDPR
The ECJ also states that the possibility of injunctive relief does not affect the other legal remedies under the GDPR. For example, a data subject can still lodge a complaint with the supervisory authority.
Fines imposed by the authorities also remain a possibility.
Efficient law enforcement
The ECJ emphasizes that injunctive relief from competitors can help prevent numerous violations of the rights of data subjects.
Cease-and-desist letters are possible
In summary, the ECJ answers that competitors can issue cease-and-desist letters for violations of the GDPR and can also assert their claims for injunctive relief in court.
Health data in der GDPR
In response to the second question, the ECJ ruled that in a case in which a pharmacy operator sells pharmacy-only medicines via an online platform, data that its customers have to enter when ordering these medicines online (such as name, delivery address and information necessary for the individualization of the medicines) constitute health data within the meaning of these provisions, even if the sale of these medicines does not require a medical prescription.
This means that the strict rules of Art. 9 GDPR apply.
No GDPR warning letters to fear
Despite this clarification by the ECJ, new waves of warning letters are not to be expected.
This is partly due to Section 13 (4) no. 2 of the German Unfair Competition Act (UWG). According to this provision, the person issuing the warning will not be reimbursed for their costs if the person being warned has fewer than 250 employees.
On the other hand, however, the admonisher would have to expect a counter-admonishment under certain circumstances. Particularly in the area of data protection, many companies are likely to still have areas that need improvement, since the implementation of the GDPR in practice is associated with numerous challenges.
In this case, the motto “What I can’t do right myself, I won’t criticize in another” should apply.
Conclusion
The ECJ ruling clarifies the legal situation. It does not come as a surprise. Especially in the recent past, there were hardly any voices left that doubted that competitors could also issue warnings for violations of the GDPR.
Despite this possibility, it is not to be expected that waves of warnings will now roll across the country.
Verknüpfte Anwälte
Partner, certified specialist for information technology law