You received a GDPR warning? What you need to know now

Since 2018, the General Data Protection Regulation (GDPR) has strengthened consumer protection. However, this has had an unpleasant side effect: since then, warnings have been piling up due to alleged data protection violations. The following article explains when such a GDPR warning is permissible and by whom it can be issued.

Content

1. Can a warning be issued for a data protection breach?
2. What are the reasons for a GDPR warning?
3. Are competitors and rivals allowed to issue a warning?
4. Received a GDPR warning - What to do now?
5. How can a GDPR warning be prevented?
6. Conclusion

1.  Can a warning be issued for a data protection breach?

The General Data Protection Regulation (GDPR) obliges companies and private individuals to handle personal data securely when it is collected, processed or used.

One speaks of "processing of personal data" if, for example, registration is required on the website for use, the purchasing behaviour of customers is analysed or cookies are used. Then the rules of the GDPR apply.

Art. 83 GDPR standardises which legal consequences arise in the event of a data protection breach and a violation of the GDPR (e.g. penalties and fines of up to 20 million euros or 4% of the company's annual turnover). If there is a potential violation, the supervisory authority in particular can take action against the violator and impose fines.

2. What are the reasons for a GDPR warning?

There are various actions that constitute a breach of the GDPR and may constitute grounds for a GDPR warning. Here are some examples:

• Incomplete information (e.g. regarding cookie use, privacy policy, imprint).
• Google Analytics and third-party tracking are not used in a DSGVO-compliant manner.
• Plugins (e.g. integration of buttons, whereby user data is transmitted without permission with one click) are not used in compliance with the GDPR
• Google Fonts
• No reference to the right to object
• IP address is not anonymised
• Contents of the data protection declaration do not comply with Art. 13 DSGVO
• No reference to the OS arbitration board
• Website is not encrypted
• Requests for information about personal data are not followed up.

3. Are competitors and rivals allowed to issue a warning?

Data subjects of a breach must in principle turn to the supervisory authority. Pursuant to Art. 80 GDPR, they may also instruct a non-profit institution, organisation or association to lodge a complaint with the authority. Subsequently, further action is also in the hands of the supervisory authorities.

Example: A Facebook user was denied a right of access to his personal data (posting of photos, comments). He can turn to the data protection authority and report this.

Whether competitors and rivals may also issue warnings in addition to this is not clearly clarified in case law. The starting point for the discussion is the question of whether a violation of the GDPR can also be a violation of the Unfair Competition Act (UWG).

The UWG establishes certain "market conduct rules" for all parties involved in economic life and thus guarantees fair competition with a level playing field for all. In the event of an infringement of the UWG, competitors and rivals are usually allowed to warn the potential infringers themselves if the infringing conduct puts them in a disadvantageous market situation.

If a company does not comply with the rules of the GDPR, this saves resources and workload. This gives the company a competitive advantage and at the same time puts other competitors who comply with the GDPR at a disadvantage. A reference to market conduct would thus be affirmed by the GDPR. With this justification, a violation of the UWG would then also be given and competitors as well as rivals would be entitled to a warning. However, this question has not been clearly decided in case law in the past:

• Bochum Regional Court in 2018 (ruling of 07.08.2018 - I-12 O 85/18): a GDPR warning for UWG infringement by competitors was not possible.
• Würzburg Regional Court in 2018 (ruling of 13.09.2018, ref.: 11 O 1741/18 UWG): Competitors are allowed to issue warning notices.
• Hamburg Higher Regional Court in 2018 (ruling of 25.10.2018, ref. 3 U 66/17): A warning notice is also possible by competitors. Although not every breach of the GDPR automatically constitutes grounds for a warning, it does as soon as it has a "market conduct regulating character". This question had to be examined specifically for each GDPR regulation. In the case of a missing data protection statement, this was the case.
• Munich Higher Regional Court in 2019: The GDPR and the UGW are not mutually exclusive, but exist side by side. This court also ruled that a GDPR warning was possible, but depended on the individual case.
  European Court of Justice: In 2020, the Federal Court of Justice referred the question to the European Court of Justice as to who can be the person issuing the warning notice (BGH, decision of 28.05.2020 - I ZR 186/17). The decision on this is still pending.

Reform of the Unfair Competition Act (UWG): In December 2020, the legislator amended the UWG to create Section 13 UWG, which protects small and medium-sized enterprises from warning letters. In the future, warning costs may no longer be claimed in the case of warnings for data protection violations by companies and commercially active associations if the company being warned generally employs fewer than 250 employees. In the case of companies with less than 100 employees, a cease-and-desist declaration with a penalty clause may not be demanded in the case of a first-time infringement. This apparently confirms that data protection violations are generally subject to a warning.

Conclusion: Despite the lack of a final decision, one tends in the direction that data protection infringements are also infringements under competition law. Competitors and rivals should therefore not be deterred from issuing a warning notice if they are affected. If you are directly affected by the GDPR violation anyway, you can easily involve the supervisory authorities.

4. Received a GDPR warning - What to do now?

If you have received a warning, you should not panic. Since there is still no final decision by the highest court, you can take advantage of this if you want to take action against the warning. For effective action, the following points should be observed:

• Check who has warned you (person directly affected or competitor or competitor).
• In order to guarantee that the infringing act will not be repeated, you will usually be asked to submit a cease-and-desist declaration with a penalty clause. This declaration is a written promise not to carry out any more infringing acts in the future and to pay a certain amount to the infringed party if you do not comply with the agreement. In addition, the cease-and-desist declaration has advantages for the person issuing the cease-and-desist letter in terms of legal costs, should the matter still go to trial. For this reason, you should not immediately sign a cease-and-desist declaration if it has not been checked whether a data protection violation has really occurred.
• Do not pay any amounts demanded of you without having checked with a lawyer.

5. How can a GDPR warning be prevented?

By observing the GDPR regulations in advance, you can prevent a GDPR warning at an early stage. To do this, you should seek comprehensive advice. The following points should be observed, for example:

• Point out the use of cookies
• Draw up a data protection declaration that meets the requirements of Art. 13 DSGVO
• Use an encrypted contact form
• Encrypt the homepage
• Point out the right to object when using analytic tools or tracking plug-ins.

Have the terms and conditions you use and your website checked by a lawyer.

6. Conclusion

• In the first instance, the prosecution of GDPR violations is a matter for the supervisory authority.
• According to widespread opinion, a violation of the GDPR can constitute a violation of the UWG and lead to a warning. Under certain circumstances, competitors and rivals may also be able to issue a warning notice for data protection violations. However, courts are not yet in agreement on this issue, so a supreme court decision remains to be seen.
• Reasons for a warning can be, for example, errors in the data protection declaration or a non-DSGVO-compliant use of Google Analytics, third-party tracking or plug-ins.
• Prevent warnings by complying with the GDPR regulations.
• If you have already received a warning, check who is sending you a warning and do not sign a penalty-based cease-and-desist declaration prematurely without checking.

Picture credits: © Simone Werner-Ney | PantherMedia

Weitere Artikel zum Thema: