BGH confirms: Data protection violations can be prosecuted by competitors and consumer associations

In its ruling of March 27, 2025, the German Federal Court of Justice (BGH) made an important decision on the prosecution of data protection violations under civil law. Specifically, it concerned the question of whether consumer protection associations and competitors are authorized to assert violations of the GDPR before the civil courts by way of a competition law action.

Until now, this question has been controversial in literature and case law. While some courts and voices in the literature assumed that the GDPR conclusively regulates who is entitled to enforce data protection obligations, others – particularly with regard to the opening clause in Art. 80 para. 2 GDPR – saw room for national regulations on representative actions. The BGH had referred this legal question to the Court of Justice of the European Union (CJEU) for clarification.

ECJ strengthens association and competitor actions

The ECJ set the course in these preliminary ruling proceedings:

In the Meta Platforms Ireland I decision (C-319/20) of 28 April 2022, the ECJ clarified that Art. 80 para. 2 GDPR allows Member States to provide for a right of action for qualified entities such as consumer protection associations even without a specific mandate from data subjects. The decisive factor is that the action is aimed at protecting the rights of individuals in connection with the processing of their data. A specific identification of individual data subjects is not required for this, provided that an identifiable category or group of persons is affected.

In the subsequent Meta Platforms Ireland II judgment (C-757/22) of 11 July 2024, the ECJ confirmed this line and clarified that the GDPR does not preclude a national right of action for competitors if they assert data protection violations that also violate market conduct rules. Data protection regulations can therefore - depending on their national form - also be relevant under competition law, particularly if they are intended to protect consumers when making market decisions.

Decision of the BGH: Competition law and GDPR are intertwined

In its ruling of March 27, 2025, the Federal Court of Justice determined in accordance with these European legal requirements that both consumer protection associations (Section 8 (3) No. 3 UWG, Section 3 UKlaG) and competitors (Section 8 (3) No. 1 UWG) are entitled to pursue data protection violations in civil proceedings. Violations of central information obligations pursuant to Art. 12 and 13 GDPR and the prohibition of processing special categories of data pursuant to Art. 9 GDPR constitute market conduct regulations within the meaning of Section 3a UWG and give rise to claims for injunctive relief under competition law.

The decision concerned three proceedings: Proceedings I ZR 186/17 concerned the presentation of games in the so-called "App Center" of the social network Facebook. Before starting the game, users were provided with information that did not make it sufficiently clear which personal data would be processed, to what extent, for what purpose and to whom it would be passed on. The BGH found that the information did not meet the requirements of the GDPR and that this constituted a breach of the information obligations arising from the GDPR that was relevant under competition law. In particular, the BGH emphasized the economic importance of personal data as a "currency" in internet-based business models. The data protection information obligations are therefore essential for an informed consumer decision and represent an essential rule of market conduct. In addition, a blanket clause allowing an application to post "status messages, photos and more" in the name of the user, for example, was classified as an unreasonable disadvantage and therefore an invalid general terms and conditions.

In the proceedings I ZR 222/19 and I ZR 223/19, which were also decided, the focus was on the online sale of medicines by pharmacists via the Amazon platform. The plaintiff pharmacists complained that health data such as name, delivery address and medication details were processed during the ordering process without the customer's express consent. The BGH confirmed that this data is health data within the meaning of Art. 9 GDPR and that its processing without consent is unlawful. Here, too, the BGH recognized an infringement relevant to competition law. Art. 9 GDPR is a market conduct rule, as the provision protects the informational self-determination of consumers in the context of their participation in the market.

Consequences and recommendation

The BGH's decision has far-reaching consequences for companies. Data protection violations will be much more "vulnerable" in future, as not only can supervisory authorities and affected users take action, but there is also the threat of warnings from competitors and associations.

This applies in particular to unclear or incomplete data protection declarations, the use of inadmissible terms and conditions clauses or the processing of sensitive data - for example in the healthcare sector - without effective consent. Companies should therefore carefully review their consent texts and GTC clauses and, in particular, ensure that the information obligations under data protection law are implemented in a complete, comprehensible and transparent manner.