On March 27, 2025, the Federal Court of Justice (“BGH”) published three rulings with particular significance. In the three groundbreaking decisions, the BGH implements the requirements of the European Court of Justice (“ECJ”) and opens the door to competition law claims by competitors and consumer protection associations in the event of data protection violations. Is this the beginning of a new wave of warning letters?
I. Background
The General Data Protection Regulation (“GDPR”) primarily protects data subjects. If a controller violates GDPR provisions, the data subject is entitled to legal remedies, such as the right to data erasure or, depending on the case, claims for damages. In addition, data protection authorities can take various measures to enforce the GDPR, such as issuing a prohibition order or imposing fines on the controller.
In contrast, it was unclear for a long time whether a competitor could also make a claim against the controller for removal and injunctive relief under the Unfair Competition Act (“UWG”) due to a data protection breach by the controller. Specifically, the question was whether the sanctions regime of the GDPR must be regarded as exhaustive or whether Sections 3 (1), 3a UWG (“Vorsprung durch Rechtsbruch”, “Advantage through breach of law”) can be applied additionally. In the past, German regional courts have judged this in different ways, and the feared wave of warnings following the introduction of the GDPR in 2018 did not materialize so far.
Also, it was not clear for a long time, under which conditions consumer protection associations could invoke a right of action in connection with GDPR infringements.
As expected, these unresolved issues finally reached the BGH. In two parallel proceedings (Ref.: I ZR 222/19 and ZR 223/19), the BGH had to clarify the entitlement of pharmacists in competition to bring claims for GDPR infringements. A third case (Ref.: I ZR 186/17) concerned the right of action of the Federation of German Consumer Organizations (“vzbv”) in a legal dispute against the operator of a social media platform due to breaches of data protection and fair-competition information obligations.
After the BGH had referred all three proceedings to the ECJ for a preliminary ruling, which has since ruled in favor of the applicability of competition law (see our press release dated October 8, 2024 here), the final decisions of the BGH are now also out:
II. BGH, judgment of March 27, 2025, case no. I ZR 186/17 – right of action of consumer associations
In the first case, the vzbv brought an action against the operator of a social media platform.
On the social media platform, users were offered free online games in an “app center”. In November 2012, certain notices were displayed in some of these games under the “Play now” button:
“By clicking “Play Game” above, this application will receive: Your general information (?), Your e-mail address, About you, Your status messages. This application may post on your behalf, including your score and more.” [translated by the authors]
One of the games also stated that the application was allowed to “post status messages, photos and more on your behalf”. The vzbv saw this as a violation of the data protection requirements of the GDPR, as users were not sufficiently informed about the collection and use of their personal data and no required effective consent was obtained.
The ECJ had already ruled in 2022, following a referral from the BGH in this case, that consumer protection associations can also challenge violations of the GDPR on the basis of consumer and competition law. Upon further referral by the BGH, the ECJ specified on 11 July 2024 that violations of the obligation to provide information pursuant to Art. 12 et seq. GDPR and Section 5a UWG may be sufficient to justify a consumer association's right of action.
In its ruling of 27 March 2025, the Federal Court of Justice confirmed that the infringement of the GDPR can be challenged under competition law. The BGH thus dismissed the appeal by the operator of the social media platform. The defendant's conduct constituted a breach of the data protection information obligation under Art. 12 para. 1 sentence 1, Art. 13 para. 1 lit. c), lit. e) GDPR. At the beginning of the game, the users were not sufficiently informed about the type, scope and purpose of the collection and the legal basis for the processing of their data. On the one hand, this constitutes a breach of competition law in terms of withholding material information pursuant to Section 5a (1) UWG. At the same time, the wording “This application may post status messages, photos and more in your name” did not sufficiently fulfill the information obligations under data protection law and was to be classified as an invalid clause pursuant to Section 3 (1) sentence 1 no. 1 of the Act on Injunctions for Consumer Rights and Other Infringements (“UKlaG”). Such clauses can be prohibited in accordance with Section 1 UKlaG.
Thus, the core element of the ruling is the finding that breaches of data protection information obligations can also constitute breaches of competition law. Pursuant to Section 8 (3) No. 3 UWG and Section 3 (1) No. 1 UKlaG, these can be challenged by consumer action associations before the civil courts.
III. BGH, judgments of March 27, 2025, Ref. I ZR 222/19 and I ZR 223/19 - Competitors' right of action
In the second and third parallel case, two pharmacists had brought an action against a competitor. The latter had sold medicines via an online marketplace and processed the personal data of its customers, including customer names and information on the medicines sold. The customers' explicit consent was not obtained for this.
The two plaintiff pharmacists saw this as a violation of Art. 9 GDPR. According to this, explicit consent pursuant to Art. 9 para. 2 lit. a) GDPR was required, which was not given.
According to the BGH, such an infringement can be pursued by competitors by means of an action under unfair competition law. The ECJ recently ruled on this matter in its highly regarded judgment of October 4, 2024, Ref.: C-21/23 (“Lindenapotheke”), as a result of a question referred by the BGH. We have already published a comprehensive article on this judgment in GRUR-Prax (GRUR-Prax 2025, 171).
As a result, it was already decided by the highest court in October last year that the GDPR, in principle, does not stand in the way of a claim for removal and injunctive relief of a data protection breach pursuant to Sections 8 (1), (3) No. 1 in conjunction with 3 (1), 3a UWG.
It was (and still is) unclear which provisions of the GDPR are actually to be regarded as market conduct rules within the meaning of Section 3a UWG. For Art. 9 GDPR, this has now been affirmed by the BGH in the two judgments of March 27, 2025. Art. 9 GDPR not only protects the data subjects' right to informational self-determination, but also serves to protect them as market participants.
IV. Practical consequences
In future, in addition to the data subjects and data protection supervisory authorities, there will be two further potential claimants with regard to possible GDPR infringements: the competitor and the consumer action associations. In this respect, the UWG and the UKlaG serve as instrument for asserting such claims.
Is there now a threat of a new wave of warning letters? This is doubtful. On the one hand, reimbursement of the warning party's expenses is excluded pursuant to Section 13 (4) No. 2 UWG if the warned party generally employs fewer than 250 employees. Secondly, in the case of a first-time infringement, the possibility of agreeing a contractual penalty in accordance with Section 13a (2) UWG is excluded if the warned party generally employs fewer than 100 employees. It is therefore likely to be difficult for warning law firms (“Abmahnkanzleien”) to turn data protection violations into a business model.
Now that the German Federal Court of Justice has already classified Art. 9 GDPR as a market conduct rule within the meaning of Section 3a UWG, it remains to be seen which other GDPR provisions will be classified as such by the courts. This will be particularly exciting with regard to Art. 25, 32 GDPR (privacy-by-design, privacy-by-default and technical and/or organizational measures for the protection of personal data).
In any case, companies should take the three decisions of the Federal Court of Justice from March 27, 2025 as an opportunity to thoroughly examine and safeguard their business models both from a data protection law perspective and from the perspective of unfairness. Companies should pay more attention to ensuring that their privacy notices are up to date.
'/%3e%3c/svg%3e){kind=small}
'/%3e%3c/svg%3e){kind=small}
