GDPR - Legal warnings - yes or no?
07/11/18 09:50
One of the burning questions since the introduction of the GDPR has been: Can one be legally warned for violations of the GDPR? Yes or no? The answer is "it depends".
There are voices that represent the view that violations of the GDPR generally cannot be subject of a legal warning. For example, EU Justice Commissioner VÄ›ra Jourová and EU parliametarian Jan Philipp Albrecht, both co-initiators of the GDPR. The latter announced with reference to "the prevailing view in jurisprudence and literature" via Twitter that violations of the GDPR entitle neither to a legal warning nor to an action. This statement is misleading in its generality and unfortunately also wrong at the moment.
On the one hand, there is no "prevailing view" on this GDPR issue in the case-law, because if the Würzburg Regional Court (11 O 1741/18) had decided that violations of the GDPR could be warned, the Bochum Regional Court (I-12 O 85/18) had held against it at almost the same time (I-12 O 85/18) and did not permit warnings by competitors. Now however as the first higher regional court in Germany the OLG Hamburg decided and confirmed that an GDPR infringement can be legally warned (3 U 66/17).
On the other hand, according to the old German Privacy Act case law, a missing or incorrect data protection declaration could already be successfully warned by the competition, because several German courts had already decided at the time that § 13 German Tele Media Act, which was decisive at that time, constituted a so-called "market conduct rule" and not merely a regulatory provision (e.g. OLG Hamburg, judgment of 27.06.2013, 3 U 26/12; LG Cologne, decision of 26.11.2015, 33 O 230/15 and LG Hamburg, decision of 07.01.2016, 315 O 550/15).
The above-mentioned current case of the Higher Regional Court in Hamburg concerned a dispute between two pharmaceutical companies which had accused each other of data protection violations with regard to the design of the ordering processes and with regard to the consent / pseudonymisation in the transfer of user data.
In the first instance, the Hamburg Regional Court had decided - based on the old German Privacy Act case law - that GDPR infringements can at any rate be legally warned by competitors if the relevant standard is a "rule of market conduct".
And the OLG Hamburg has now confirmed this.
It remains to be seen how the other higher courts in Germany will position themselves and whether a uniform case law will then emerge. At any rate, very good arguments currently suggest that GDPR infringements can give competitors cause to be legally warned. In any event, this is the case if the infringement is related to competition law or has a "market conduct regulating character".
In addition, it goes without saying that the entitled bodies mentioned in § 3 German Injunctive Relief Act - in particular the consumer protection associations - are also entitled to injunctive relief and indemnification claims in the event of violations of regulations governing the permissibility of the collection, processing and/or use of a consumer's personal data by an entrepreneur. In addition, persons affected by data protection violations can also assert their data protection claims themselves.
And last but not least, the supervisory authorities have extensive instruments at their disposal to punish data protection infringements.
Website managers should therefore continue to attach great importance to GDPR compliance.
There are voices that represent the view that violations of the GDPR generally cannot be subject of a legal warning. For example, EU Justice Commissioner VÄ›ra Jourová and EU parliametarian Jan Philipp Albrecht, both co-initiators of the GDPR. The latter announced with reference to "the prevailing view in jurisprudence and literature" via Twitter that violations of the GDPR entitle neither to a legal warning nor to an action. This statement is misleading in its generality and unfortunately also wrong at the moment.
On the one hand, there is no "prevailing view" on this GDPR issue in the case-law, because if the Würzburg Regional Court (11 O 1741/18) had decided that violations of the GDPR could be warned, the Bochum Regional Court (I-12 O 85/18) had held against it at almost the same time (I-12 O 85/18) and did not permit warnings by competitors. Now however as the first higher regional court in Germany the OLG Hamburg decided and confirmed that an GDPR infringement can be legally warned (3 U 66/17).
On the other hand, according to the old German Privacy Act case law, a missing or incorrect data protection declaration could already be successfully warned by the competition, because several German courts had already decided at the time that § 13 German Tele Media Act, which was decisive at that time, constituted a so-called "market conduct rule" and not merely a regulatory provision (e.g. OLG Hamburg, judgment of 27.06.2013, 3 U 26/12; LG Cologne, decision of 26.11.2015, 33 O 230/15 and LG Hamburg, decision of 07.01.2016, 315 O 550/15).
The above-mentioned current case of the Higher Regional Court in Hamburg concerned a dispute between two pharmaceutical companies which had accused each other of data protection violations with regard to the design of the ordering processes and with regard to the consent / pseudonymisation in the transfer of user data.
In the first instance, the Hamburg Regional Court had decided - based on the old German Privacy Act case law - that GDPR infringements can at any rate be legally warned by competitors if the relevant standard is a "rule of market conduct".
And the OLG Hamburg has now confirmed this.
It remains to be seen how the other higher courts in Germany will position themselves and whether a uniform case law will then emerge. At any rate, very good arguments currently suggest that GDPR infringements can give competitors cause to be legally warned. In any event, this is the case if the infringement is related to competition law or has a "market conduct regulating character".
In addition, it goes without saying that the entitled bodies mentioned in § 3 German Injunctive Relief Act - in particular the consumer protection associations - are also entitled to injunctive relief and indemnification claims in the event of violations of regulations governing the permissibility of the collection, processing and/or use of a consumer's personal data by an entrepreneur. In addition, persons affected by data protection violations can also assert their data protection claims themselves.
And last but not least, the supervisory authorities have extensive instruments at their disposal to punish data protection infringements.
Website managers should therefore continue to attach great importance to GDPR compliance.