view all news & events

05.10.2018

First court decisions on GDPR warning letters

By order (in German) of September 13, 2018 (11 O 1741/18 UWG), Würzburg Regional Court issued an interim injunction against a lawyer who provided an incomplete Privacy Policy on her website as well as an unencrypted contact form. The court considered both the missing Privacy Policy and the lack of encryption of the website violations of the GDPR. While this is comprehensible with respect to the missing Privacy Policy, the court fails to explain why it considers the missing encryption to be a data protection violation. This is already technically questionable, since data on forms is frequently transmitted via email, so that the website encryption would have no influence at all on the transmission of data provided in the forms.

The court further ruled that this also constituted a violation of market conduct rules and accordingly there were injunctive relief claims under the Act against Unfair Commercial Practices. The court refers to two decisions of Hamburg Higher Regional Court and Cologne Higher Regional Court that were both issued on provisions of the Telemedia Act relating to data protection law prior to the GDPR coming into effect. In any event, the court does not mention that the prevailing opinion of professional literature considers the GDPR provisions to be final, thus rejecting an application of the Act against Unfair Competition relating to data protection violations.

Since the decision relates to a interim injunction and was issued without hearing the respondent, it is to be assessed with caution. It remains to be seen whether the decision will stand.

Practical tip:

According to the GDPR, a complete Privacy Policy on websites is indisputably necessary and should be implemented by all website operators – independently of the issue whether an incomplete Privacy Policy also represents a unfair commercial practice. If contact forms are offered on the website and the transmission of the data from the website to the operator is not encrypted, the unencrypted transmission of the data should be pointed out in any event.

Update:

In a decision (in German) dated August 7, 2018, the Regional Court of Bochum rejected a cease and desist claim between competitors due to a violation of the GDPR. In its statement, the Court pointed out that the claimant had no right to obtain a cease and desist decision as the provisions of the GDPR are exhaustive and therefore exclude claims by competitors. In its reasoning, the Court expressly referred to a widespread (and above-mentioned) opinion of the legal literature.

Authors

Nikolaus Bertermann

Nikolaus Bertermann

Partner

visit profile