Based on an earlier decision by the ECJ, it is already clear that consumer protection associations are generally allowed to warn and sue in the event of GDPR violations. A further decision by the ECJ is now pending, which deals with whether this also applies specifically to the obligation to provide information about data processing (in the data protection declaration). For retailers, this means always having a GDPR-compliant data protection declaration ready. We explain the topic and support retailers in implementing their GDPR obligations.
I. The basic problem
The core of the current proceedings before the ECJ (Az. C-757/22) is also about the question of whether consumer protection associations or associations have a certain autonomy and issue warnings in the absence of a specific order due to potential data protection violations or in court allowed to draw.
Both European and national regulations play a role in answering this question. More precisely, it is about the relationship between national regulations and the requirements of the General Data Protection Regulation (GDPR) and whether these contradict each other. Since the ECJ is ultimately responsible for the interpretation of EU law, such as the GDPR, the Federal Court of Justice (BGH) has now submitted individual questions of interpretation to the ECJ for a decision for the second time.
II. What is it about?
The consumer center Federal Association e. V. (VZBV) sued Meta Platform Ireland Limited, the operator of the social media platform Facebook, for an injunction.
On its social media platform, it made third-party digital games available to its users in a separate area called “App Center”. When users clicked on the “Play now” button, all of their data – such as their e-mail address – was sent to the operators of the respective online games. Information about this data transfer was located below the button. One of the games also had the following notice: “This application may post status updates, photos and more on your behalf.”
In particular, the consumer advice center saw the notice as a violation of the legal requirements for obtaining effective data protection consent from users. With regard to the game with the above-mentioned additional notice, the consumer advice center believed that the general terms and conditions were unreasonably disadvantageous to the user.
III. Do consumer protection associations have the right to issue warnings and take legal action, even without the request of the persons concerned?
In principle, both the provisions of the GDPR and national law in Germany play a role in these court proceedings.
The BGH first turned to the ECJ to clarify the question of whether national regulations could possibly contradict GDPR regulations. On the one hand, it was about the national legal provisions, which grant both competitors and associations, institutions and chambers entitled under national law the power to take action against the infringer by way of a complaint before the civil courts because of DSGVO violations if no specific right of individual data subjects has been violated and there is no order to do so from a data subject.
On the other hand, it was about Art. 80 Para. 1 and 2 GDPR.
According to Art. 80 Para. 1 GDPR, data subjects have the right
“a non-profit body, organization or association, duly constituted under the law of a Member State, whose statutory objective is in the public interest and which operates in the field of protecting the rights and freedoms of data subjects with regard to the protection of their personal data “
and to be legally represented by them in procedures to ensure the protection of personal data.
Furthermore, Art. 80 Para. 2 GDPR allows EU member states to grant the mentioned institutions, organizations or associations the right to act legally without a specific order from a data subject if
“you consider that the rights of a data subject under this Regulation have been violated as a result of processing.”
IV. How did the ECJ decide in the first case?
The ECJ denied a contradiction between the GDPR and the national regulations and referred to Art. 80 Para. 2 GDPR (judgment of April 28, 2022 – C-319/20).
An institution that pursues a goal that is in the public interest – as in the case of the consumer advice center – may act independently of the existence of a specific order and the violation of specific rights of data subjects, i.e. also raise a (collective) complaint.
As a further prerequisite for this, however, the ECJ stated that the data processing in question must be able to affect the rights of identified or identifiable natural persons under this regulation.
V. What is the second referral to the ECJ about?
The ECJ is currently facing another question for clarification.
The first decision concerned Art. 80 (2) GDPR. According to this provision, however, a consumer protection association is only authorized to issue a warning or sue if it asserts that the rights of the person concerned pursuant to the GDPR have been violated “as a result of (data) processing”.
In its current question from the ECJ, the BGH would now like to know whether such an infringement “as a result of processing” within the meaning of Art. 80 (2) GDPR can also be asserted if the class action – as in the above case – alleges a violation of the information obligations according to Art. 12 Para. 1 Sentence 1 GDPR i. 13 (1) (c) and (e) GDPR. These provisions include the obligation of the person responsible for data protection to provide information about the processing of personal data in the context of a data protection declaration, for example.
The decision of the ECJ is now being eagerly awaited, as it will affect in particular whether errors in the data protection declaration can in principle be warned by consumer protection associations without complaints or orders from individual data subjects.
VI. What do online retailers have to consider now?
If online traders violate the provisions for the protection of personal data from the GDPR, they must expect warnings and possibly also lawsuits from consumer protection associations, if necessary even if they are not commissioned to do so by specific persons concerned, but act on their own initiative.
We therefore recommend retailers to do their homework on GDPR and not only to make data processing GDPR-compliant, but also to provide the information on data protection in their data protection declaration in full compliance with the requirements.
The IT law firm not only provides its clients with a GDPR-compliant data protection declaration, but also with many guidelines for the legal sale of products on the Internet. Feel free to contact us if you have any questions.
Tipp: Do you have any questions about the contribution? Feel free to discuss this with us in the
Entrepreneur group of the IT law firm on Facebook.