Introduction
On 27 March 2025, the German Federal Court of Justice (Bundesgerichtshof ”FCJ”) published a number of judgments in which it took the view that breaches of data protection law can be prosecuted before the civil courts by way of an action under the harmonised Act against Unfair Competition (UWG). This allows any competitor and competition and consumer protection associations to pursue such breaches before the courts. Enforcement is therefore not limited anymore to data protection authorities.
First case: Legal standing for consumer organisations due to infringements of information obligations under the GDPR
In its judgement of March 27, 2025, no. I ZR 186/17, the FCJ establishes the standing of qualified competition and consumer organisations to bring actions for breaches of the GDPR.
The defendant operates a social network. In the network, games were offered. Users were informed about the collection and use of their personal data under the "Play now" button. However, this information was held to be inadequate and, in some cases, misleading. The claimant, the Verbraucherzentrale Bundesverband, considered this to be a breach of data protection information obligations (Art. 12 and 13 GDPR) and claimed injunctive relief against the defendant.
The court decided that a breach of the information obligations under the GDPR also constitutes a breach of competition law, as essential information was withheld (Sec. 5a (1) UWG). The FCJ decided, in accordance with Art. 80 (2) GDPR, that both competitors and competition watch dogs, such as the plaintiff, could pursue breaches of the GDPR before the civil courts, irrespective of a mandate from the data subject who was not adequately informed.
Second case: Competition law action brought by a competitor for breach of GDPR provisions
In another judgment of March 27, 2025, no. I ZR 222/19 and no. ZR 223/19, the FCJ ruled that Art. 9 (1) GDPR also has the function to regulate market conduct within the meaning of Sec. 3a UWG, which allows for civil actions before the courts.
The claimant pharmacists took legal action against the defendant pharmacists, who sold medicinal products via Amazon's platform, seeking an injunction (and in case I ZR 222/19 also damages), asserting that the defendants violated the GDPR applicable to health data by collecting, processing, and using customer data.
The FCJ argued that the provisions on data protection consent under Article 9(1) of the GDPR also protect consumers in connection with their participation in the market, which is why it falls under the market conduct rules pursuant to Sec. 3a UWG. Again, such breaches can be pursued before civil courts by competitors and competition watch dogs, irrelevant of whether they are mandated by the data subjects or not.
Overall analysis and practical effects
By classifying data protection provisions as market conduct rules in accordance with Section 3a UWG, data protection violations will in future be regarded as actionable acts of unfair competition. This significantly expands the circle of parties entitled to initiate legal action (including cease and desist proceedings). Both competitors as well as competition and consumer protection associations may bring actions even if they are not themselves directly affected or are not directly representing those affected.
The second ruling also emphasises the importance of data protection in the online sale of health-related products. Sellers must ensure they obtain explicit customer consent before processing any personal data in connection with health-related products. Failing to do so exposes them not only to penalties from data protection authorities but also to legal action from competitors under the UWG.
In the future, we can expect an increase in competition law claims for data protection violations. Companies, especially in the online sector, should be aware of this increased risk of private enforcement and check compliance measures.