In Ger­ma­ny, accor­ding to the regio­nal courts Würz­burg and Bochum, the Hig­her Regio­nal Court (OLG) of Ham­burg has now also Judgment pas­sedwhich deals with the abili­ty to issue war­ning noti­ces for vio­la­ti­ons of the GDPR under Ger­man fair tra­ding law. Accor­ding to the Ham­burg Hig­her Regio­nal Court, the GDPR does not con­tain a clo­sed system of sanc­tions that pre­clu­des war­ning letters:

[…] The Sena­te is, con­tra­ry to the opi­ni­on repre­sen­ted by the defen­dant not of the opi­ni­onthat the GDPR is a com­ple­ted sanc­tion system con­ta­inswhich would pre­clude the pro­se­cu­ti­on of data pro­tec­tion inf­rin­ge­ment actions by com­pe­ti­tors on the basis of unfair com­pe­ti­ti­on law.

55 This view, which is also held by Köh­ler […] in par­ti­cu­lar, has met with cri­ti­cism. It is based pri­ma­ri­ly on the fact that Art. 77 – 79 of the GDPR pro­vi­de the “data sub­ject”, i.e. the per­son who­se data are pro­ce­s­sed (cf. Art. 4 No. 1 of the GDPR) , with legal reme­dies and that the data sub­ject is entit­led under Art. 80 (1) of the Regu­la­ti­on to com­mis­si­on orga­nizati­ons to exer­cise the afo­re­men­tio­ned rights on his or her behalf. The ope­ning clau­se of Art. 80 (2) of the Regu­la­ti­on pro­vi­des only that Mem­ber Sta­tes may also grant such orga­nizati­ons the right to pur­sue an inf­rin­ge­ment wit­hout a man­da­te from the data sub­ject.. From this, the defen­dant takes with Köh­ler that. com­pe­ti­tors do not have the aut­ho­ri­ty to assert their own rights.

56 Against this, it is right­ly objec­ted that Art. 80 (2) GDPR intends to regu­la­te the que­sti­on of repre­sen­ta­ti­ve actions, but that not con­clu­si­ve cha­rac­ter becau­se of the enforce­ment of rights by others […]. This is also sup­port­ed by the fact that Art. 77 – 79 GDPR pro­vi­de for legal reme­dies for data sub­jects […] or any other per­son […], but in this respect always wit­hout pre­ju­di­ce to any other admi­ni­stra­ti­ve or judi­cial […] or any other admi­ni­stra­ti­ve or ext­ra­ju­di­cial […] reme­dy. And Art. 82 GDPR in turn awards dama­ges to “any per­son” who has suf­fe­r­ed dama­ge becau­se of the breach of the Regu­la­ti­on. This also cle­ar­ly indi­ca­tes that the GDPR does not pre­clude the pro­se­cu­ti­on of acts of data pro­tec­tion inf­rin­ge­ment by per­sons other than the “data sub­jects” who­se data are pro­ce­s­sed (cf. Art. 4 No. 2 GDPR).

57 Final­ly, Artic­le 84(1) of the GDPR sta­tes that Mem­ber Sta­tes shall lay down the rules on other sanc­tions appli­ca­ble to inf­rin­ge­ments of this Regu­la­ti­on […] and shall take all mea­su­res neces­sa­ry to ensu­re that they are imple­men­ted. […] This also speaks for the fact that the Regu­la­ti­on only pro­vi­des a Mini­mum stan­dard of sanc­tions […] Espe­ci­al­ly in the con­text of the pro­vi­si­on of Art. 77 GDPR, which also lea­ves open for every data sub­ject other – i.e. not regu­la­ted in the GDPR its­elf – judi­cial reme­dies, as well as the pro­vi­si­on of Art. 82 (1) GDPR, which grants not only the data sub­ject but every per­son a right to com­pen­sa­ti­on, it beco­mes clear that the GDPR is desi­gned to be open becau­se of other reme­dies and sanc­tions not regu­la­ted in the regu­la­ti­on itself.

War­ning let­ters the­r­e­fo­re remain pos­si­ble in prin­ci­ple. Howe­ver, the inf­rin­ged stan­dard must be exami­ned in each indi­vi­du­al case to deter­mi­ne whe­ther it has a com­pe­ti­ti­ve cha­rac­ter; other­wi­se, the inf­rin­ge­ment does not con­sti­tu­te a vio­la­ti­on of com­pe­ti­ti­on law:

Accor­ding to Sec­tion 3a UWG, -[…] anyo­ne who acts con­tra­ry to a sta­tu­to­ry pro­vi­si­on acts unf­air­ly, which is also inten­ded to regu­la­te mar­ket beha­vi­or in the inte­rest of mar­ket par­ti­ci­pan­ts. […] A pro­vi­si­on that ser­ves to pro­tect the rights, legal inte­rests or other inte­rests of mar­ket par­ti­ci­pan­ts is a mar­ket con­duct regu­la­ti­on if the pro­tec­ted inte­rest pre­cis­e­ly through mar­ket par­ti­ci­pa­ti­on, i.e. through the con­clu­si­on of exch­an­ge con­tracts and the sub­se­quent con­sump­ti­on or use of the acqui­red goods or uti­li­zed ser­vices. is touch­ed. What is not requi­red is a spe­ci­fi­cal­ly com­pe­ti­ti­on-rela­ted pro­tec­ti­ve func­tion in the sen­se that the regu­la­ti­on spe­ci­fi­cal­ly pro­tects mar­ket par­ti­ci­pan­ts from the risk of unfair influence on their mar­ket beha­vi­or. […] […] The decis­i­on of the Sena­te of 27.06.2013 does not, howe­ver – con­tra­ry to the appa­rent assump­ti­on of the Regio­nal Court – alre­a­dy express that every norm under data pro­tec­tion law has a mar­ket con­duct regu­la­ting cha­rac­ter. In the mean­ti­me, case law and lite­ra­tu­re have come to Right accept­edthat inso­far the respec­ti­ve stan­dard must be spe­ci­fi­cal­ly checked forwhe­ther that very norm has as its object the regu­la­ti­on of mar­ket conduct.