The European Court of Justice (ECJ) recently issued a ruling (judgment of October 4, 2024) stating that the General Data Protection Regulation (GDPR) does not provide an exhaustive list of who may pursue data protection violations. This decision has significant implications for competitors who seek to address GDPR breaches.
Background of the Case
The case involved the sale of pharmacy-only medicines by a pharmacy on an online platform, during which customer data was processed. A competitor filed for an injunction, arguing that the pharmacy had not obtained explicit consent to process customers’ health data. The competitor claimed this was a violation of the GDPR and, at the same time, constituted unfair commercial practice under the German Unfair Competition Act (UWG). Under Section 3a UWG, it is considered unfair to violate a legal provision designed to regulate market behavior.
The ECJ’s Decision
The ECJ confirmed that Chapter VIII of the GDPR does not contain exhaustive provisions that exclude other legal remedies. This means that national laws, such as the German UWG, can act as a supplement. In this specific case, this implies that even competitors who are not “data subjects” within the meaning of the GDPR are entitled to pursue GDPR violations through a competition law claim. This holds true even though the GDPR itself does not explicitly provide for such remedies.
Competition Law Claims and Cease-and-Desist Letters
The ECJ clarified that competitors can file for injunctions under competition law if data protection violations simultaneously amount to unfair commercial practices. This opens the door for competitors to issue cease-and-desist letters to companies that fail to comply with data protection regulations.
The court reasoned that data protection violations can also impact competition, particularly in sectors where access to personal data provides a competitive advantage. Ensuring fair competition thus requires adherence to data protection rules.
Impact in Germany
In Germany, this decision will have significant consequences, as it explicitly grants competitors the right to pursue data protection violations under competition law. However, Section 13(4) UWG sets high thresholds for the reimbursement of costs in such cases. The German legislature introduced this provision to prevent the rise of a “warning letter industry.” This means that while competitors can issue warnings for GDPR breaches, they generally cannot expect reimbursement for the costs unless the violation was particularly severe and evident.
Health Data and Its Protection
Another central aspect of the ruling was the question of whether data collected in connection with the purchase of pharmacy-only medicines constitutes “health data” under the GDPR. The ECJ ruled that entering information such as the customer’s name, delivery address, and medication type must be classified as health data, as these details can provide insights into the individual’s health condition.
This applies even when the medicine is not prescription-only or is purchased for another person. The sensitivity of the data collected requires special protection under the GDPR in any case.
Conclusion
The ECJ’s decision makes it clear that data protection violations can be pursued not only by affected individuals or supervisory authorities but also by competitors when such violations also constitute unfair commercial practices. In Germany, this will lead to competitors increasingly focusing on data protection violations in competition law disputes. However, the high threshold for cost reimbursement will limit the extent to which warning letters are issued in this area.
- BiotechCrime: Biotechnology and biohacking as a criminal offense - 10. February 2025
- European arrest warrant: Support in Germany - 2. February 2025
- Red Notice - 2. February 2025