· An article by Tobias Bystry

For a long time it was disputed whether violations of the General Data Protection Regulation (GDPR) could be enforced by competitors under the Act against Unfair Competition (UWG).
The Court of Justice of the European Union (CJEU) has now resolved this uncertainty and brought clarity:

Competitors may issue cease-and-desist notices for data protection violations.

What types of data protection violations competitors may now issue cease-and-desist notices for, what legal prerequisites must be met and how a GDPR cease-and-desist notice works – all this is explained in the following article.

GDPR violations – your tools against competitors' data protection breaches

Data protection is not only an important topic for the protection of consumer rights, but also for competition. If a competitor violates the General Data Protection Regulation (GDPR), this can not only be unpleasant for the person affected by the unlawful data processing, but can also give the company an unfair advantage on the market.

Since a landmark decision by the CJEU (judgment of 4 October 2024 – C-21/23), companies can specifically issue cease-and-desist notices against their competitors' GDPR violations and thereby ensure fair competition. The prerequisite is that the violation also constitutes an unfair business practice under the UWG.

Is your competition acting unlawfully? Our firm supports you in enforcing your rights and effectively issuing cease-and-desist notices against your competitors' data protection violations.

Typical data protection violations subject to cease-and-desist action

GDPR violations arise in many forms. Some of the most common grounds for cease-and-desist notices are:

  • Missing consents: if a competitor processes personal data without proper consent from those affected, this can be an unfair measure that also entitles competitors to assert injunction claims.
  • Defective privacy policies: incorrect or missing information on data processing on websites constitutes violations of the information obligations under the GDPR, which may also be subject to cease-and-desist action.
  • Inadequate data security measures: if a company fails to take adequate protective measures for personal data, this is also to be regarded as a violation of the GDPR that could, where applicable, be subject to cease-and-desist action from the perspective of breach of law.

When can you issue a cease-and-desist notice against your competitors for data protection violations?

You can issue a cease-and-desist notice against your competitors for data protection violations if the GDPR violation also qualifies as an unfair competitive act within the meaning of the UWG (Act against Unfair Competition). This means: data protection violations that simultaneously influence market conduct, such as unlawful processing of customer data, are subject to cease-and-desist action. This may be the case in online retail, customer acquisition or the use of tracking services.

Practical examples:

  • Inadequate privacy policy: if you notice that a competitor's website does not have a complete privacy policy, for example because there is no reference to the use of tracking tools and data processing is not made transparent, you can now challenge this by means of a cease-and-desist notice under the latest case law.
  • Unlawful data collection on orders: companies frequently process their customers' personal data in the course of sales (for example via a sales platform such as eBay or Amazon) without a legal basis. If you recognise that a competitor is collecting and/or storing customer data that may not be processed in this way, you can issue a cease-and-desist notice following the CJEU decision.

Process of a GDPR cease-and-desist notice

  1. Review of the violation: we analyse your situation and assess whether a GDPR violation exists that can be subject to a cease-and-desist notice.
  2. Cease-and-desist notice with a short deadline: we draft a legally sound cease-and-desist letter demanding that your competitor immediately cease the conduct.
  3. Preliminary injunction: if the competitor does not respond or refuses to provide a penalty-backed cease-and-desist undertaking, we immediately initiate court proceedings to protect your rights in emergency proceedings.
  4. Main proceedings: should emergency proceedings be insufficient or exceptionally not possible, we consistently enforce your claims in the main proceedings.

Your attorney for GDPR cease-and-desist notices

Protect your business from unfair practices and unscrupulous competitors. As specialist attorneys in competition law, we support you in issuing cease-and-desist notices for GDPR violations and ensure that your competitors comply with the applicable data protection regulations.
You can always rely on the following from ab&d Rechtsanwälte:

  • Swift action: data protection violations must be stopped without delay. We ensure that your cease-and-desist notice is issued quickly and in a legally sound manner.
  • Efficient enforcement: through our many years of experience in competition and data protection law, we enforce your claims effectively.
  • Free initial assessment: we are happy to be available for a no-obligation and free initial telephone consultation.

Contact us today for a no-obligation initial assessment! Simply call us on 030 36 41 41 90, write to us at kontakt@abd-partner.de or use our contact form directly!