Competitors are permitted to issue warnings – Rulings by the Federal Court of Justice I ZR 186/17 / I ZR 222/19 / I ZR 223/19
Competitors and consumer protection associations are permitted to warn companies about data protection violations. This was decided by the Federal Court of Justice in several rulings on March 27, 2025 (Case Nos. I ZR 186/17 / I ZR 222/19 / I ZR 223/19). With these decisions, the Federal Court of Justice fundamentally clarified the connection between data protection law and competition law.
Data protection violations can be penalized not only by supervisory authorities. As the decisions of the Federal Court of Justice show, competitors and consumer protection associations can also take action against such violations. For companies, this can have significant consequences, particularly in online trade and when processing sensitive data, according to the business law firm MTR Legal Rechtsanwälte, which advises, among other things, on IT law and data protection law.
Gaming app posts data
In the case with Case No. I ZR 186/17, the issue concerned a so-called “app center” on a social network, where third-party providers offered games. Before a user could start a game, they were shown a notice stating that the application would receive certain permissions, for example to post status updates. However, these notices were vague and did not inform the user about the specific data being processed, who the recipients were, or the purposes of the processing. The Federal Association of Consumer Centers of the federal states filed a lawsuit against this and was successful.
The Federal Court of Justice clarified that such unclear and sweeping information does not meet the requirements of the General Data Protection Regulation (GDPR). The information obligations under Art. 12 and 13 GDPR require clear, precise, and understandable information for affected persons. Since these requirements of the GDPR concurrently regulate market behavior within the meaning of competition law (§ 3a UWG), such neglect constitutes a violation of competition law. Competitors or qualified consumer protection associations may therefore take civil action against such data protection violations, according to the Federal Court of Justice. This applies regardless of whether a user has filed a complaint.
Pharmacists sell medicines online
Similar questions were addressed in the cases with Case Nos. I ZR 222/19 and I ZR 223/19. Here, two pharmacies sold medicines via the Amazon platform. In doing so, personal data of customers was processed, including health data—such as name, address, or the ordered medicines with information for their individualization. Other pharmacists filed lawsuits against this. These lawsuits were also successful: The Federal Court of Justice clarified that order data within the meaning of Art. 9(1) GDPR constitutes health data. This applies even if the medications are not prescription-only. The data may only be processed if express consent from the customers is obtained, which the pharmacists had not collected.
The Federal Court of Justice confirmed the view of the European Court of Justice that health data is already present if conclusions about the state of health or medication can be drawn from the order. The Federal Court of Justice also considered this a competition law violation. Art. 9(1) GDPR is a market conduct regulation within the meaning of § 3a UWG, so a violation of this provision can be pursued by a competitor through a competition law action before the civil courts, according to the judges in Karlsruhe.
GDPR also relevant under competition law
The rulings show that the requirements of the GDPR, in particular the information obligations and the provisions on consent, are also relevant under competition law. Companies that process personal or sensitive data without sufficient information or without effective consent act in violation of competition law. Not only data protection authorities, but also competitors or qualified interest groups can take action against such violations. With this, the Federal Court of Justice has considerably expanded the scope of competition law. Companies that violate data protection regulations may therefore face not only fines from data protection authorities but also costly warnings and injunctions from competitors and consumer protection associations.
Companies are therefore well advised to carefully review and fulfill their information obligations. This includes ensuring that users are informed transparently, clearly, and comprehensively about what data is processed, for what purposes, on what legal basis, who the recipients are, and what rights the affected persons have. Moreover, before processing sensitive data such as health data, explicit consent must be obtained and documented. General or hidden clauses are not sufficient.
MTR Legal Rechtsanwälte advises on Data protection, GDPR, and other IT law topics.
Feel free to contact us!
