In Germany, according to the regional courts Würzburg and Bochum, the Higher Regional Court (OLG) of Hamburg has now also Judgment passedwhich deals with the ability to issue warning notices for violations of the GDPR under German fair trading law. According to the Hamburg Higher Regional Court, the GDPR does not contain a closed system of sanctions that precludes warning letters:
[…] The Senate is, contrary to the opinion represented by the defendant not of the opinionthat the GDPR is a completed sanction system containswhich would preclude the prosecution of data protection infringement actions by competitors on the basis of unfair competition law.55 This view, which is also held by Köhler […] in particular, has met with criticism. It is based primarily on the fact that Art. 77 – 79 of the GDPR provide the “data subject”, i.e. the person whose data are processed (cf. Art. 4 No. 1 of the GDPR) , with legal remedies and that the data subject is entitled under Art. 80 (1) of the Regulation to commission organizations to exercise the aforementioned rights on his or her behalf. The opening clause of Art. 80 (2) of the Regulation provides only that Member States may also grant such organizations the right to pursue an infringement without a mandate from the data subject.. From this, the defendant takes with Köhler that. competitors do not have the authority to assert their own rights.
56 Against this, it is rightly objected that Art. 80 (2) GDPR intends to regulate the question of representative actions, but that not conclusive character because of the enforcement of rights by others […]. This is also supported by the fact that Art. 77 – 79 GDPR provide for legal remedies for data subjects […] or any other person […], but in this respect always without prejudice to any other administrative or judicial […] or any other administrative or extrajudicial […] remedy. And Art. 82 GDPR in turn awards damages to “any person” who has suffered damage because of the breach of the Regulation. This also clearly indicates that the GDPR does not preclude the prosecution of acts of data protection infringement by persons other than the “data subjects” whose data are processed (cf. Art. 4 No. 2 GDPR).
57 Finally, Article 84(1) of the GDPR states that Member States shall lay down the rules on other sanctions applicable to infringements of this Regulation […] and shall take all measures necessary to ensure that they are implemented. […] This also speaks for the fact that the Regulation only provides a Minimum standard of sanctions […] Especially in the context of the provision of Art. 77 GDPR, which also leaves open for every data subject other – i.e. not regulated in the GDPR itself – judicial remedies, as well as the provision of Art. 82 (1) GDPR, which grants not only the data subject but every person a right to compensation, it becomes clear that the GDPR is designed to be open because of other remedies and sanctions not regulated in the regulation itself.
Warning letters therefore remain possible in principle. However, the infringed standard must be examined in each individual case to determine whether it has a competitive character; otherwise, the infringement does not constitute a violation of competition law:
According to Section 3a UWG, -[…] anyone who acts contrary to a statutory provision acts unfairly, which is also intended to regulate market behavior in the interest of market participants. […] A provision that serves to protect the rights, legal interests or other interests of market participants is a market conduct regulation if the protected interest precisely through market participation, i.e. through the conclusion of exchange contracts and the subsequent consumption or use of the acquired goods or utilized services. is touched. What is not required is a specifically competition-related protective function in the sense that the regulation specifically protects market participants from the risk of unfair influence on their market behavior. […] […] The decision of the Senate of 27.06.2013 does not, however – contrary to the apparent assumption of the Regional Court – already express that every norm under data protection law has a market conduct regulating character. In the meantime, case law and literature have come to Right acceptedthat insofar the respective standard must be specifically checked forwhether that very norm has as its object the regulation of market conduct.