GDPR and unfair competition – data protection pitfalls when doing business in Germany

GDPR and unfair competition – data protection pitfalls when doing business in Germany

 

Dr. Marcus Dittmann, Rechtsanwalt

 

Last updated 20 November 2018

 

Companies operating business websites in Germany have to be careful to ensure compliance to German laws. Among other things, German laws require that companies must provide certain legal information on their commercial websites and company homepages, specifically provider identification and address etc., in what is somewhat infamously known as “imprint”, in German: “Impressum”. Furthermore, German laws are relatively strict in regard to consumer protection and even which specific clauses may or may not be allowed in a company’s general terms and conditions (in German: Allgemeine Geschäftsbedingungen, abbreviated as “AGB”).

 

Dr. Marcus Dittmann, Rechtsanwalt

 

Last updated 20 November 2018

 

Companies operating business websites in Germany have to be careful to ensure compliance to German laws. Among other things, German laws require that companies must provide certain legal information on their commercial websites and company homepages, specifically provider identification and address etc., in what is somewhat infamously known as “imprint”, in German: “Impressum”. Furthermore, German laws are relatively strict in regard to consumer protection and even which specific clauses may or may not be allowed in a company’s general terms and conditions (in German: Allgemeine Geschäftsbedingungen, abbreviated as “AGB”).

 

Such matters may indeed fall under the German law against unfair completion (Gesetz gegen den unlauteren Wettbewerb, UWG). Companies that run afoul of such laws, by willfully ignoring them or accidentally not bearing them in mind, risk to be on the receiving end of angry warning letters and formal cease and desist letters (“Abmahnung”) sent by consumer protection organizations and competitors, alleging unfair competition, which may entail significant legal costs and lead to injunctions and law suits.

 

One more such legal mine field has recently sprung up which involves data protection law. In May 2018, the European Data Protection Regulation Regulation (EU) 2016/679 (GDPR) Protection Regulation Regulation (EU) 2016/679 (GDPR) has come into force. The GDPR stipulates a number of obligations for companies processing personal data of any kind and it has become an important compliance matter.

 

Since then, there has been a lively discussion in German legal circles about whether a company failing to fully comply with the GDPR or making a mistake on its website or in its business model in regard to data protection laws may actually commit unfair competition. There have been several court cases with contradictory rulings.

 

Some courts have held that a violation of the GDPR can only be sanctioned under the GDPR regime itself, meaning that the GDPR contains final and binding rules and remedies. Namely, articles 77 to 84 GDPR contain provisions regarding administrative fines and personal rights and remedies of any data subjects concerned, but in particular no rights and remedies for competitors, who consequently are not allowed to directly enforce compliance by other companies. This is the opinion of the District Court of Bochum (Landgericht Bochum, Urteil vom 07.08.2018, Az. I-12 O 85/18), for example.

 

Other courts, however, have held that a violation of data protection laws does indeed qualify as unfair competition. It is argued that one company which does not comply with data protection standards, no matter if intentionally or by mistake, might actually enjoy a slight competitive advantage over another company which spends cost, time and effort to comply with possibly complicated privacy norms. This should not be tolerated, proponents of this view say, as this would in effect be an unfair business practice. Consequently, in such cases the courts have allowed consumer protection organizations and competitors to successfully directly sue offenders for cease and desist, damages and legal costs. This opinion has been voiced by the District Court of Würzburg (Landgericht Würzburg, Beschluss vom 13.09.2018, Az. 11 O 1741/18) and more recently by the Hamburg Court of Appeal (OLG Hamburg, Urteil vom 25.10.2018, Az.: 3 U 66/17).

 

So far, there have only been decisions on a case by case basis by the lower courts. There has been no binding precedent yet and no final decision yet by the German Federal Court of Justice (Bundesgerichtshof) to finally resolve the matter.

 

Until then, the issue remains unsolved. Companies doing business in Germany are well advised to take applicable data protection laws into account. If you receive a cease and desist letter (“Abmahnung”) it is advisable to seek legal advice without delay in order to mitigate or possibly avoid costly law suits under German unfair competition laws.

 

Last updated: 20. November 2018

 

If you have any questions please contact:

Dr. Marcus Dittmann