The Würzburg Regional Court has ruled that GDPR violations can in principle violate the German Unfair Competition Act. § 3a D‑UWG regulates the “breach of law” relevant under fair trading law as follows:
A person acts unfairly if he or she violates a statutory provision which also is intended for this purpose, regulate market behavior in the interest of market participantsand the infringement is likely to have a significant adverse effect on the interests of consumers, other market participants or competitors.
The question is therefore first whether the GDPR (also) constitutes market conduct law. In Switzerland, the same applies as a result. The “advantage by breaking the law” is discussed here as a case group of Art. 2 UWG; whoever composes an unlawful advantage by violating a legal provision thereby behaves unfairly, provided that the violated provision intends to regulate market conduct (whereby, in addition, a planned or systematic approach is usually required). There is hardly any case law; an exception is the Kamov decision of the BGer:
[4] a) […] Violation of legal norms outside the UWG is relevant in terms of unfair competition law, if the violated provisions competitive relevance have, the violation of which may therefore have an impact on competition […]. Where a legal provision relevant under competition law is violated by the competent authority concretized by means of an order is decisive […]. […]
In Germany, however, this question has greater weight because violations of Section 3a D‑UWG can lead to warnings. However, it has not been clarified whether violations of the GDPR are capable of giving rise to warning letters. It is also argued that the provision of Art. 77 et seq. GDPR (remedies, liability and sanctions) are in principle (subject to the opening clause in Art. 80(2)) exhaustive, so that prosecution under Section 3a UWG is excluded.
However, the Würzburg Regional Court has now ruled (the order is available here as PDF) that the website of a law firm violated the GDPR and that this was a violation of competition that could be subject to a warning:
The imprint of the defendant contains the following information 7‑line privacy policy does not satisfy the new GDPR. It missing Information on the person responsible, on the collection and storage of personal data as well as the type and purpose of their use, a statement on the transfer of data, on cookies, analysis tools, but above all the instruction on the rights of the data subject, in particular the right to object, data security and the reference to the possibility of complaining to a supervisory authority. With the Higher Regional Court of Hamburg (3 U 26/12) and the Higher Regional Court of Cologne (6 U 121/15), the recognizing court assumes that the regulations that were violated here are Violations of competition law according to § 4 No. 11 UWG or now § 3a UWG and thus could be warned by the applicant. The fact that the defendant collects data is already indicated by the simultaneous use of a contact form on the homepage. Since the defendant can in any case collect data via a contact form, encryption of the homepage is also mandatory, which is missing here.
However, the decision was made in a superprovisional procedure and is not legally binding as far as can be seen.