The question of whether data protection violations can be warned was already widely discussed before the GDPR came into force, especially the question whether non-compliance with data protection could also be warned by competitors. In September the Würzburg Regional Court ruled that an inadequate data protection declaration constitutes an infringement of competition law. (Resolution of 13.9.2018, 11 O 1741/18)
Insufficient privacy policy
The court considered the data protection declaration to be insufficient. The 7-line data protection declaration does not comply with the GDPR. Information about the controller, on the collection and storage of personal data as well as the type and purpose of their use, a declaration on the disclosure of data, on cookies, analysis tools, but above all information on the rights of data subjects, in particular the right of objection, data security and a reference to the possibility of complaining to a supervisory authority are missing.
Warning letters in the case of GDPR non-compliance
The court publishes the following reasons, which are not based on GDPR regulations, for the legitimacy of warning letters in case of violations of data protection law:
With the Higher Regional Court Hamburg (3 U 26/12) and the Higher Regional Court Cologne (8 U 121/15), the court making the ruling assumes that the provisions infringed here constitute violations of competition law pursuant to § 4 No. 11 UWG (German for: Law against unfair competition) or § 3a UWG and could thus be warned by the applicant.
It is still disputed if GDPR violations can be warned and, if yes, by whom. This first court decision after the GDPR came into force is groundbreaking even if it could be refuted in further instances.
Full text publication of the court decision can be found here: http://www.gesetze-bayern.de/Content/Document/Y-300-Z-BECKRS-B-2018-N-22735?hl=true&AspxAutoDetectCookieSupport=1