LG Würz­burg: Vio­la­ti­ons of the GDPR are sub­ject to a war­ning under the Ger­man Unfair Com­pe­ti­ti­on Act (UWG)

The Würz­burg Regio­nal Court has ruled that GDPR vio­la­ti­ons can in prin­ci­ple vio­la­te the Ger­man Unfair Com­pe­ti­ti­on Act. § 3a D‑UWG regu­la­tes the “breach of law” rele­vant under fair tra­ding law as follows:

A per­son acts unf­air­ly if he or she vio­la­tes a sta­tu­to­ry pro­vi­si­on which also is inten­ded for this pur­po­se, regu­la­te mar­ket beha­vi­or in the inte­rest of mar­ket par­ti­ci­pan­tsand the inf­rin­ge­ment is likely to have a signi­fi­cant adver­se effect on the inte­rests of con­su­mers, other mar­ket par­ti­ci­pan­ts or competitors.

The que­sti­on is the­r­e­fo­re first whe­ther the GDPR (also) con­sti­tu­tes mar­ket con­duct law. In Switz­er­land, the same applies as a result. The “advan­ta­ge by brea­king the law” is dis­cus­sed here as a case group of Art. 2 UWG; whoe­ver com­po­ses an unlawful advan­ta­ge by vio­la­ting a legal pro­vi­si­on ther­eby beha­ves unf­air­ly, pro­vi­ded that the vio­la­ted pro­vi­si­on intends to regu­la­te mar­ket con­duct (wher­eby, in addi­ti­on, a plan­ned or syste­ma­tic approach is usual­ly requi­red). The­re is hard­ly any case law; an excep­ti­on is the Kamov decis­i­on of the BGer:

[4] a) […]  Vio­la­ti­on of legal norms out­side the UWG is rele­vant in terms of unfair com­pe­ti­ti­on law, if the vio­la­ted pro­vi­si­ons com­pe­ti­ti­ve rele­van­ce have, the vio­la­ti­on of which may the­r­e­fo­re have an impact on com­pe­ti­ti­on […]. Whe­re a legal pro­vi­si­on rele­vant under com­pe­ti­ti­on law is vio­la­ted by the com­pe­tent aut­ho­ri­ty con­cre­ti­zed by means of an order is decisive […]. […]

In Ger­ma­ny, howe­ver, this que­sti­on has grea­ter weight becau­se vio­la­ti­ons of Sec­tion 3a D‑UWG can lead to war­nings. Howe­ver, it has not been cla­ri­fi­ed whe­ther vio­la­ti­ons of the GDPR are capa­ble of giving rise to war­ning let­ters. It is also argued that the pro­vi­si­on of Art. 77 et seq. GDPR (reme­dies, lia­bi­li­ty and sanc­tions) are in prin­ci­ple (sub­ject to the ope­ning clau­se in Art. 80(2)) exhaus­ti­ve, so that pro­se­cu­ti­on under Sec­tion 3a UWG is excluded.

Howe­ver, the Würz­burg Regio­nal Court has now ruled (the order is available here as PDF) that the web­site of a law firm vio­la­ted the GDPR and that this was a vio­la­ti­on of com­pe­ti­ti­on that could be sub­ject to a warning:

The imprint of the defen­dant con­ta­ins the fol­lo­wing infor­ma­ti­on 7‑line pri­va­cy poli­cy does not satis­fy the new GDPR. It miss­ing Infor­ma­ti­on on the per­son respon­si­ble, on the coll­ec­tion and sto­rage of per­so­nal data as well as the type and pur­po­se of their use, a state­ment on the trans­fer of data, on coo­kies, ana­ly­sis tools, but abo­ve all the ins­truc­tion on the rights of the data sub­ject, in par­ti­cu­lar the right to object, data secu­ri­ty and the refe­rence to the pos­si­bi­li­ty of com­plai­ning to a super­vi­so­ry aut­ho­ri­ty. With the Hig­her Regio­nal Court of Ham­burg (3 U 26/12) and the Hig­her Regio­nal Court of Colo­gne (6 U 121/15), the reco­gnizing court assu­mes that the regu­la­ti­ons that were vio­la­ted here are Vio­la­ti­ons of com­pe­ti­ti­on law accor­ding to § 4 No. 11 UWG or now § 3a UWG and thus could be war­ned by the appli­cant. The fact that the defen­dant coll­ects data is alre­a­dy indi­ca­ted by the simul­ta­neous use of a cont­act form on the home­page. Sin­ce the defen­dant can in any case coll­ect data via a cont­act form, encryp­ti­on of the home­page is also man­da­to­ry, which is miss­ing here.

Howe­ver, the decis­i­on was made in a super­pro­vi­sio­nal pro­ce­du­re and is not legal­ly bin­ding as far as can be seen.