The Federal Court of Justice (BGH) has clarified: Data protection violations under the GDPR can be pursued not only by those directly affected, but also by consumer protection organisations and competitors. Two recent judgements confirm that lawsuits are admissible even if no specific data subject is named.
The first case involved Meta, which operated an app centre via Facebook. Users had to grant some far-reaching access rights for third-party games, such as the release of personal data or posting in their own name. Consumer advocates criticised the fact that Facebook did not provide sufficient information about the use of data and therefore did not obtain valid consent. They also criticised certain game notices as inappropriate terms and conditions clauses. They sued for injunctive relief.
In the second case, pharmacists who sold medicines via Amazon faced each other. The plaintiffs accused their competitors of using personal customer data without consent - a violation of the GDPR. The case also involved other legal violations in the sale of medicines. Here, too, actions were brought for injunctive relief and in some cases for damages.
Both cases were referred to the European Court of Justice, which confirmed that competitors and associations may take legal action against data protection violations even without specific data subjects. The BGH agreed with this view. Breaches of information obligations are also considered unfair competition if they affect consumers' freedom of choice. Terms and conditions clauses that unreasonably penalise users are invalid.
The judgement thus strengthens legal action against data protection deficiencies - even preventively and without individual proof of damage.