Search
Contact
29.04.2022 | KPMG Law Insights

ECJ: GDPR lawsuits by consumer associations admissible

The ECJ today ruled that qualified consumer associations in Germany have the power to bring an action against a company’s breach of data protection law provisions, even under the GDPR, irrespective of the specific breach of a data subject’s right to the protection of his or her data and without a corresponding mandate from such a person (ECJ, judgment of 28.07.2022 – Case C-319/20, Meta Platforms Ireland Ltd. ./. Verbraucherzentrale Bundesverband e.V.).

 

Federation of German Consumer Organizations against Meta

The subject of the proceedings was the much-noticed preliminary ruling of the Federal Court of Justice in a legal dispute between Meta Platforms Ireland Ltd. as operator of Facebook and the Federation of German Consumer Organizations (Verbraucherzentrale Bundesverband e.V.). In this case, the Federation of German Consumer Organizations (Verbraucherzentrale Bundesverband e.V.) sued the operator of Facebook for injunctive relief due to, among other things, the violation of data protection provisions without having been instructed to do so by a data subject. The BGH confirmed the existence of violations of data protection regulations. However, he still harbored doubts as to whether, since the GDPR came into force, a consumer association’s action could also be brought independently of a specific violation of a data subject’s data protection rights and without a mandate from such a person. In his view, Art. 80 GDPR would preclude a right of association to bring an action in its own right pursuant to Section 8 para. 3 No. 3 UWG (Unfair Competition Act). For Art. 80 para. 1 GDPR requires that a complaining association is mandated by a data subject to exercise on his behalf the rights under the GDPR against data protection infringements. Under the GDPR, associations no longer have the right to bring an action to enforce data protection law under objective law. It can also be derived from Art. 84 para. 1 GDPR, since the right of associations to bring an action pursuant to Section 8 (1) of the German Data Protection Act (DSGVO) does not apply. 3 No. 3 UWG is not aimed at a sanction within the meaning of the GDPR. In view of the requirements of Article 80 (1) of the German Civil Code, it is also not possible to assert a right to bring an action in one’s own right under the provisions of the German Injunctions Act (UKlaG). 2 GDPR considerations are doubtful, because in this respect at least the violation of rights of a data subject would have to be asserted.

 

Right of consumer associations to take legal action in their own right

The ECJ has now clarified that consumer associations qualified under German law continue to have the authority to take action against data protection violations in their own right. It is true that an action by an association can only be brought independently of an order issued if, in the opinion of the association bringing the action, the data protection rights of a data subject have been violated. For the purposes of an action by an association, however, it cannot be required that the association bringing the action individually identifies in advance the person specifically affected by an assumed data protection violation. Since, according to Art. 4 No. 1 GDPR, data subjects also include identifiable natural persons and not only already identified persons, it is sufficient to name a category or group of persons affected by the allegedly unlawful data processing. Nor was proof of a specific violation of data protection rights of these persons a prerequisite for bringing an action by association. The fact that a violation of data protection regulations is asserted in the context of proceedings for the enforcement of other regulations serving consumer protection is also harmless. This is because data protection violations can also result in violations of consumer protection regulations or unfair business practices.

 

Increased risk of GDPR lawsuits

Companies must therefore once again increasingly expect to be sued by consumer associations for possible data protection violations. This is because it has now been clarified by the highest court that they do not need an order from a person affected by a data protection breach to do so, even under the DSGVO. They can take action on their own initiative if they believe that a company is violating data protection regulations. The further requirements of the right to bring an action by a representative body as named by the ECJ are comparatively easy to fulfill. It is unlikely that the German consumer associations will fail to take advantage of the opportunities they have been granted to take action against companies. Consequently, greater care should be taken to ensure that the information on the processing of personal data that is readily accessible via a website or otherwise does not allow any conclusion to be drawn about data protection violations. This applies in particular to the information to be provided in accordance with Articles 13 and 14 of the GDPR, the request for consent, for example, to the use of cookies and other technologies that are not technically absolutely necessary – whereby the restrictive view taken by the German supervisory authorities on the equivalent possibility of refusing such applications is to be criticized – as well as published contractual provisions with references to the processing of personal data.

Explore #more

09.01.2025 | In the media

KPMG Law strengthens Legal Transformation Managed Services and Legal Corporate Services with two new senior managers

On January 1, KPMG Law strengthened its Transformation Managed Services practice with Jana Sichelschmidt and its Corporate Services practice with Dr. Michaela Lenk. Both are…

06.01.2025 | Deal Notifications

KPMG Law advises on the sale of Käppler & Pausch GmbH

Gabriel Pausch, the co-founder and main shareholder of Käppler & Pausch GmbH, a system supplier for metal assemblies as well as metal and sheet metal…

03.01.2025 | In the media

Interview in Betrieb on the EU money laundering package and its impact

The EU anti-money laundering package harmonizes anti-money laundering and counter-terrorism rules in Europe and introduces new measures such as cash limits of €10,000, identification requirements…

02.01.2025 | In the media

KPMG Law Statement in eMagazin Immobilienanwälte: Creativity meets law in trademark protection

Four Frankfurt, Elbtower, Vonovia: real estate projects and companies are backed by constructs worth millions or even billions. In order to stand out from the…

20.12.2024 | KPMG Law Insights

The EU packaging regulation sets strict requirements for packaging

The EU has adopted the Packaging Regulation. After the European Parliament adopted the Commission’s draft on April 24, 2024, the EU member states also approved…

20.12.2024 | Deal Notifications

KPMG and KPMG Law supported the sale of circular Informationssysteme to the teccle group

Together with the corporate finance/M&A advisors of KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG), KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) advised the shareholders of circular Informationssysteme GmbH (circular)…

19.12.2024 | Press releases

KPMG Law defends Federal Motor Transport Authority against claim for damages in connection with the emissions scandal

The state is not liable to vehicle purchasers for damages. KPMG Law has defended the Federal Motor Transport Authority (KBA) against a civil plaintiff’s state…

18.12.2024 | KPMG Law Insights, KPMG Law Insights

MiCAR – What the new EU regulation means for crypto service providers and issuers

An EU regulation will soon come into force that will regulate crypto assets uniformly throughout Europe. It contains significant new obligations for issuers and crypto…

16.12.2024 | Deal Notifications

KPMG Law advises CERTANIA Holding GmbH on the acquisition of RASG Holdco Ltd.

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) has provided legal advice to CERTANIA Holding GmbH, a platform of the Munich-based PE firm Greenpeak Partners, on the…

04.12.2024 | Deal Notifications

KPMG Law and KPMG advises Brain Biotech AG on license agreements and monetization of license rights

KPMG Law Rechtsanwaltsgesellschaft mbH and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised Brain Biotech AG on the monetization of licensing rights with Royalty Pharma and the conclusion…

Contact

Francois Heynike, LL.M. (Stellenbosch)

Partner
Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

Tel.: +49-69-951195770
fheynike@kpmg-law.com

Maik Ringel

Senior Manager

Münzgasse 2
04107 Leipzig

Tel.: +49 341 22572563
mringel@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll