Introduction to Data Protection Warning
The data protection warning is a central instrument in data protection law to enforce compliance with the General Data Protection Regulation (GDPR). Since the GDPR came into effect in 2018, companies and organizations are required to exercise the utmost care in processing personal data. If there is a violation of these regulations – for example, due to insufficient information for users or unlawful data processing – a warning can be issued. This can be initiated not only by data protection authorities but also by competitors, consumer protection associations, or even the affected individuals themselves. The aim of a data protection warning is to prompt the company to cease the data protection violation and to comply with data protection rights. For companies, this means they must regularly review and adjust their processes and handling of personal data to avoid warnings and potential subsequent lawsuits.
Legal Foundations
The legal foundations for warnings in the field of data protection are mainly found in the GDPR and the Act against Unfair Competition (UWG). The GDPR regulates in detail how personal data may be collected, stored, and processed. Violations of these regulations – such as unlawful processing or lack of transparency – can be pursued not only by data protection authorities but also under competition law. The UWG protects competition against unfair business practices and provides that a data protection violation may also be considered a violation of the UWG if it gives a company an unfair advantage. Thus, warnings for data protection violations can be issued based on both the GDPR and the UWG. Companies should therefore ensure that they strictly adhere to the legal requirements for processing personal data to avoid warnings and further legal consequences.
Competitors may warn – Judgments of the BGH I ZR 186/17 / I ZR 222/19 / I ZR 223/19
Competitors and consumer protection associations may warn companies about data protection violations; the court plays a central role in deciding on warnings for data protection violations. This was determined by the Federal Court of Justice in several judgments dated March 27, 2025 (Case No. I ZR 186/17, I ZR 222/19, I ZR 223/19). Various courts have previously ruled differently on the authority to issue warnings for data protection violations. The multitude of data protection violation cases shows the practical relevance of this topic. The current BGH ruling clarifies that competitors and consumer associations can also take action. The BGH rulings of March 2025 are of great importance for warning practice, as they enable the pursuit of data protection violations by consumer associations and competitors before civil courts. A GDPR warning is a special form of warning that relates to violations of the General Data Protection Regulation and differs from other warnings due to its reference to data protection law. The consumer center plays an important role in enforcing data protection rights. Consumer associations are significantly involved in the warning of data protection violations. Competitors can also pursue data protection violations and thus protect competition. The BGH ruling has significant implications for the practice and legal assessment of data protection violations.
Data protection violations can be sanctioned not only by supervisory authorities. The decision-making authority of the courts is of central importance for data protection violations. As the BGH decisions show, competitors and consumer associations can also take action against violations. In such proceedings, the defendant also plays an important role. For companies, this can have significant consequences, especially in online commerce and when processing sensitive data, according to the law firm MTR Legal, which advises, among others, in IT law and data protection law. GDPR violations can lead to significant legal consequences, especially if injunctions are asserted. Repeated GDPR violations may result in increased sanctions and further measures. The pursuit of data protection violations is carried out by both courts and associations. The importance of sentence 1 and sentence 1 no. in the relevant paragraphs is crucial for the legal classification. The matter is of great importance for the development of data protection law and the enforcement of consumer rights.
Game App posts data
The case with file number I ZR 186/17 concerned a so-called “app center” in a social network where third-party providers offered games. The app center serves as a central platform where various third-party apps are offered. Online games play a significant role in the app center, as they make up a large part of the offerings. When using the app, personal data such as your email address can be processed. Before a user could start a game, they were shown that the application was granted certain permissions, e.g., to post status messages. However, these notices were vague and did not inform about which specific data was processed, who the recipients were, and for what purpose this happened. The federal association of consumer centers successfully challenged this.
The BGH made it clear that such vague and general information does not meet the requirements of the General Data Protection Regulation (GDPR). Users must be fully informed when the data is collected by the app. The extent of the data collected and processed must also be transparently represented. The legally compliant formulation of the purposes of use in the privacy policy is of particular importance. The information obligations under Article 12 and 13 GDPR require clear, precise, and understandable information for the affected individuals. Since these GDPR requirements simultaneously regulate market behavior in the sense of competition law (§ 3a UWG), non-compliance constitutes a competition violation. Competitors or qualified consumer protection associations may therefore take civil action against such data protection violations, according to the BGH. This applies regardless of whether a user has complained.
Pharmacists sell drugs online
Similar questions were addressed in the cases with file numbers I ZR 222/19 and I ZR 223/19. Here, two pharmacies had sold medicines through the Amazon platform. Personal customer data, including health data like name, address, and ordered medications along with information on their individualization, were processed. The collection of this health data by the pharmacies was a central issue of the proceedings. There were numerous cases of data protection violations in the pharmacy sector relevant in this context. Other pharmacists also filed lawsuits against this. These lawsuits were also successful: the BGH made it clear that order data constitute health data within the meaning of Article 9 (1) GDPR. This applies even if the medications are not prescription-required. The data may only be processed with the customer’s explicit consent, which the pharmacists had failed to obtain.
The BGH confirmed the assessment of the European Court of Justice that health data already exist if conclusions can be drawn about the health condition or medication from the order. In the proceedings, the defendant played a central role as they were responsible for data processing. The importance of protecting the affected individual in the processing of health data was particularly emphasized. Here, too, the BGH saw a competition violation. Article 9 (1) GDPR is a market conduct rule within the meaning of § 3a UWG, so the violation of this regulation can be pursued by a competitor through a competition lawsuit before civil courts, according to the Karlsruhe judges. The importance of sentence 1 and sentence 1 no. in the relevant paragraphs was expressly highlighted.
GDPR also relevant to competition law
The judgments show that the regulations of the GDPR – especially the information obligations and the consent regulations – are also relevant to competition law. Under certain circumstances, profits obtained through data protection violations may be forfeited; this is related to fines and other penalties that can be imposed according to the General Data Protection Regulation and the law. Companies that process personal or sensitive data without sufficient information or without effective consent act in violation of competition. Not only data protection authorities but also competitors or qualified interest groups can take action against such violations. In doing so, the BGH has significantly expanded the scope of competition law. Companies that violate data protection regulations may face not only fines from data protection authorities but also costly warnings and injunctions by competitors and consumer protection associations.
Companies are well advised
Companies are therefore well advised to carefully review and fulfill their information obligations. This includes transparently, comprehensibly, and thoroughly informing users about which data is processed for what purpose, on what legal basis, who the recipients are, and what rights the affected individuals have. Before processing sensitive data – such as health data – explicit consent must also be obtained and documented. General or hidden clauses are not sufficient.
Online marketplaces and data protection
Online marketplaces like the Amazon Marketplace are an integral part of modern e-commerce. However, ensuring data protection compliance is particularly important here. Providers operating on such platforms must adhere to the strict requirements of the GDPR when processing customer data – such as names, addresses, or order data. The BGH decisions in the cases I ZR 186/17, I ZR 222/19, and I ZR 223/19 have clarified that violations of the GDPR – such as processing health data without the customer’s explicit consent – can have not only data protection but also competition law consequences. Warnings from competitors or consumer protection associations are possible in such cases and can have significant implications for companies. The Federal Court of Justice rulings underscore that data protection compliance on online marketplaces is not only a matter of compliance but also competitiveness.
Consequences of a warning
A data protection warning can have far-reaching consequences for companies. Besides the obligation to immediately cease the challenged processing of personal data, severe fines or penalties may be imposed if the violation continues. The GDPR provides for amounts up to 20 million euros or 4% of the worldwide annual turnover – whichever is higher. Moreover, a warning can also detrimentally affect a company’s reputation since a violation of data protection is perceived by customers and the public as a serious breach of trust. Therefore, companies should place the utmost importance on compliance with data protection regulations not only for legal reasons but also for reputational ones.
Defense against warnings
To effectively protect themselves against warnings in the field of data protection, companies should regularly review their data protection practices and align them with current GDPR requirements. This includes creating a transparent and comprehensive privacy policy, obtaining explicit consents for the processing of sensitive data, and implementing technical and organizational measures to protect data. In the event of a warning, it is advisable to respond promptly and seek legal counsel to best protect one’s interests. By acting proactively and consistently complying with data protection requirements, companies can significantly reduce the risk of warnings and further legal actions.
MTR Legal advises on data protection, GDPR, and other IT law topics.
Please feel free to contact us!
