GDPR - Legal warnings - yes or no?

One of the burning questions since the introduction of the GDPR has been: Can one be legally warned for violations of the GDPR? Yes or no? The answer is "it depends".

There are voices that represent the view that violations of the GDPR generally cannot be subject of a legal warning. For example, EU Justice Commissioner VÄ›ra Jourová and EU parliametarian Jan Philipp Albrecht, both co-initiators of the GDPR. The latter announced with reference to "the prevailing view in jurisprudence and literature" via Twitter that violations of the GDPR entitle neither to a legal warning nor to an action. This statement is misleading in its generality and unfortunately also wrong at the moment.

On the one hand, there is no "prevailing view" on this GDPR issue in the case-law, because if the Würzburg Regional Court (11 O 1741/18) had decided that violations of the GDPR could be warned, the Bochum Regional Court (I-12 O 85/18) had held against it at almost the same time (I-12 O 85/18) and did not permit warnings by competitors. Now however as the first higher regional court in Germany the OLG Hamburg decided and confirmed that an GDPR infringement can be legally warned (3 U 66/17).

On the other hand, according to the old German Privacy Act case law, a missing or incorrect data protection declaration could already be successfully warned by the competition, because several German courts had already decided at the time that § 13 German Tele Media Act, which was decisive at that time, constituted a so-called "market conduct rule" and not merely a regulatory provision (e.g. OLG Hamburg, judgment of 27.06.2013, 3 U 26/12; LG Cologne, decision of 26.11.2015, 33 O 230/15 and LG Hamburg, decision of 07.01.2016, 315 O 550/15).

The above-mentioned current case of the Higher Regional Court in Hamburg concerned a dispute between two pharmaceutical companies which had accused each other of data protection violations with regard to the design of the ordering processes and with regard to the consent / pseudonymisation in the transfer of user data.

In the first instance, the Hamburg Regional Court had decided - based on the old German Privacy Act case law - that GDPR infringements can at any rate be legally warned by competitors if the relevant standard is a "rule of market conduct".

And the OLG Hamburg has now confirmed this.

It remains to be seen how the other higher courts in Germany will position themselves and whether a uniform case law will then emerge. At any rate, very good arguments currently suggest that GDPR infringements can give competitors cause to be legally warned. In any event, this is the case if the infringement is related to competition law or has a "market conduct regulating character".

In addition, it goes without saying that the entitled bodies mentioned in § 3 German Injunctive Relief Act - in particular the consumer protection associations - are also entitled to injunctive relief and indemnification claims in the event of violations of regulations governing the permissibility of the collection, processing and/or use of a consumer's personal data by an entrepreneur. In addition, persons affected by data protection violations can also assert their data protection claims themselves.

And last but not least, the supervisory authorities have extensive instruments at their disposal to punish data protection infringements.

Website managers should therefore continue to attach great importance to GDPR compliance.

Sie können diese Website besuchen, ohne personenbezogene Daten zu hinterlassen. Diese Website nutzt z.B. keine Cookies. In technisch notwendigem Umfang werden in den Server Log Files Informationen gespeichert, die nicht bestimmten Personen zuzuordnen sind. Der Webhoster Ionos erhebt Daten über den Besuch der Webseite ohne die Verwendung von Cookies. Es werden dort IP-Adresse und Browser-Erkennung anonymisiert gespeichert, damit keine Rückschlüsse auf die einzelnen Besucher gezogen werden können. Alles Weitere zum Datenschutz auf dieser Webseite finden Sie unter „IMPRESSUM/DATENSCHUTZ/PGP KEY“

You can visit this website without leaving any personal data. For example, this website does not use any cookies. To the extent technically necessary, information is stored in the server log files that cannot be assigned to specific persons. The web hoster Ionos collects data about visits to the website without the use of cookies. The IP address and browser type are stored there anonymously so that no conclusions can be drawn about the individual visitors. All further information on data protection on this website can be found under "LEGAL NOTICE/DATA PRIVACY/PGP KEY".