The EU Court of Justice has ruled that consumer protection associations can issue warnings for data protection violations. We tell you what this means for you and your company.
What are consumer protection associations?
According to the GDPR and the German Injunctions Act (Unterlassungsklagengesetz - UKlaG), consumer protection associations are non-profit institutions, organisations or associations whose statutory objectives are in the public interest and which operate in the field of the protection of the rights and freedoms of data subjects with regard to the protection of their personal data.
The Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband e.V.), for example, is a consumer protection association.
What did the consumer protection association complain about?
The legal dispute revolved around data processing operations on the Facebook platform. Among other things, free games are offered there. These games publish the user's name and other information. The user is not informed about further details of this data use. The Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband e.V.) considered this data processing to be unlawful and brought an action against these provisions before the Berlin Regional Court. The Federation of German Consumer Organisations was victorious in the first and second instance. In the course of the appeal proceedings before the BGH, the latter referred the case to the ECJ for a preliminary ruling.
What did the BGH want to know from the ECJ?
In simple terms, the BGH asked the ECJ to answer the following question:
May consumer protection associations, contrary to the provisions in Art. 80(1) and (2), 84 GDPR, assert data protection infringements against the infringer before the civil courts in their own right and independently of the infringement of specific rights of individual data subjects and without a mandate from a data subject?
How did the ECJ rule?
According to the ECJ, consumer protection associations may, contrary to the provisions in Art. 80(1) and (2), 84 GDPR, assert data protection infringements against the infringer before the civil courts in their own right and independently of the infringement of specific rights of individual data subjects and without a mandate from a data subject.
Once again, the ECJ argues at the core of the GDPR's objective to ensure effective protection of the fundamental freedoms and rights of natural persons and, in particular, a high level of protection of the right of every individual to the protection of personal data concerning him or her.
Why is this decision important for you?
With consumer protection associations, a new independent "player" is entering the stage of data protection law. Until now, supervisory authorities and especially the courts assumed that consumer protection associations may only act on behalf of a concrete data subject. This required the sometimes laborious search for a data subject. On their own initiative, consumer protection associations could not and were not allowed to pursue data protection violations. As a rule, the "disruptive manoeuvres" therefore came from concretely affected persons, competitors or supervisory authorities.
Now you can also be targeted by consumer protection associations, some of which have considerable financial and human resources. It can also be assumed that some consumer protection associations are trying to open up a new field of activity in the area of data protection (to the limits of what is permissible).
What do you have to do?
You have to deal intensively with the topic of data protection law and stay "up to date". You must comply with the regulations of the GDPR and quickly do your data protection "homework" (if you have not already done so).
Otherwise, you will be threatened with warnings under data protection law and consequences that can massively disrupt your business operations and put an extreme strain on your financial situation.
GoldbergUllrich Rechtsanwälte PartG mbB 2022
Lawyer Julius Oberste-Dommes, LL.M. (Infromation Law)
Specialist lawyer for information technology law