Right of action for companies: Does the GDPR also apply to the competition?

It is now common practice for those affected by data protection violations to take companies to court.

On Thursday, the Federal Court of Justice (BGH) did not answer the contentious question of whether direct competitors can be plaintiffs with reference to the EU General Data Protection Regulation (GDPR).

Instead, the first civil senate responsible for competition issues appealed to the European Court of Justice (ECJ) for clarification.

Marcus Young

Editor in Business.

• Follow I follow

In particular, it is about whether the GDPR conflicts with national rules that grant competitors such a right to sue.

Companies in particular would vigorously pursue such rights, said Thomas Koch, presiding judge of the Senate in Karlsruhe.

In the comparable case of consumer associations, the BGH had already submitted a case for a decision in Luxembourg.

“The GDPR itself does not provide for active action by competitors against data protection violations by the competition.

In principle, it transfers the power to act to the data protection authorities, who can impose corresponding fines," emphasizes Stefan Peintinger from the law firm SKW Schwarz in Munich.

The decisive factor will be whether the provisions of the GDPR are to be considered conclusive for the member states or not.

“If not, they could be regarded as so-called market behavior regulations that protect competitors within the meaning of the law against unfair competition.

Then competitors could become active themselves,” explains the specialist lawyer for IT law.

This is how the Naumburg Higher Regional Court saw it in the lower court.

direction is given

In his opinion, the earlier ECJ judgment in the Meta case, which was also issued on the basis of a submission by the BGH, could set the direction: In this case, the Luxembourg judges decided that consumer protection organizations can take action against general data protection violations themselves - which was also controversial for a long time and is now was regulated by law.

Peintinger recommends: "Even if there is still legal uncertainty, companies should take the current cases as an opportunity to thoroughly examine their products and services again, both from a data protection perspective and from the perspective of unfairness."

The now suspended procedure is about a dispute between pharmacists.

As the Federal Court of Justice announced, the plaintiff complains that his competitor violates, among other things, the Medicines Act, the professional code of conduct for pharmacists and data protection regulations by selling pharmacy-only medicines via Amazon.

From his point of view, health data is collected within the meaning of the GDPR, which allows conclusions to be drawn about the state of health of a person.

This should not happen without their express consent.

(Az. I ZR 222/19 and I ZR 223/19).