What to do in case of warnings due to violations of the DSGVO?

Who is allowed to issue DSGVO warnings at all?

A DSGVO warning can, but does not have to, be issued by a court or a supervisory authority. In real life, it is in fact mainly the competitors of companies who initiate warning letters; you are also entitled to do so.

Example: If company X observes all the guidelines on the General Data Protection Regulation, company Y may receive a warning if it has not done its homework on the DSGVO. According to the law, the conditions for competition must be the same for everyone. A warning for violations of the DSGVO is usually based on the Unfair Competition Act (UWG), which all companies must comply with.

In the event of infringements, the competition can have a DSGVO warning issued and additionally demand an injunction. Interestingly, courts are not always of the same opinion here. This is due to the novelty of the DSGVO. But why is a violation of the DSGVO relevant to competition law at all?

Why can a data protection violation be relevant under competition law?

The DSGVO describes obligations for a company, which can lead to high fines if they are not observed or not fulfilled. For many companies, the implementation of these directives (DSGVO requirements) means that time and budget must be spent in order to comply with all DSGVO requirements. Companies that do not comply, however, save themselves this effort in contrast to their competitors and thus gain a so-called competitive advantage. This is a reason for a warning under the Unfair Competition Act (UWG) and allows for a warning due to a violation of competition law.

Is every infringement of the DSGVO immediately liable to a warning?

So far, this question has been answered almost universally in the affirmative by the courts in Germany. The consequence is that data protection violations of all kinds and sizes can be subject to warnings from competitors and warning associations. The opinion is: those who do not comply with data protection laws have a competitive advantage over competitors who do.

Side note: The fact that certain IT tools and plug-ins are mentioned in the data protection statement has nothing to do with the question of whether they are also permissible under German or EU law. The legally required reference in the data protection statement to tools that store personal data does not mean, however, that these tools are also data protection- compliant.

What types of warnings are known so far?

Warning letters due to missing data protection declaration

Warning letters due to missing data protection declaration Several companies, including a service provider from Augsburg, have a law firm issue warnings to websites that do not have a data protection statement or have an incorrect one. They are demanding the removal of the infringements (infringement: the posting of a data protection declaration) as well as the submission of a consent to refrain from the action and also the assumption of the costs of the DSGVO warning.

Warning notice due to the integration of “Google Fonts

Several law firms, including a law firm from Düsseldorf, are issuing warnings for the integration of “Google Fonts” on websites and landing pages. Here, too, they are demanding the removal of the infringements and the submission of a cease-and-desist declaration as well as the reimbursement of costs.

Warning due to incorrect integration of Google Analytics

One of the first DSGVO warnings is the incorrect integration of “Google Analytics”, for example by a well-known law firm from Hanau.

This type of warning is mostly about an alleged lack of IP anonymisation, a lack of opt-out options and the failure to disclose Google Analytics in the data protection declaration displayed on the homepage.

Warning letters due to “Facebook like” and “share” buttons

The practice of issuing warnings for tools that are connected to Facebook functions has also been going on for some time. Specifically, warnings are issued for the integration of Facebook plugins for sharing and liking on websites. There has been a ruling on this by the Düsseldorf Regional Court since 2016.

A company should definitely expect that Facebook plug-ins, but also plug-ins of other, especially large internet services, will be warned more strongly and more frequently than today in the course of the DSGVO uncertainty.

Warning letters due to missing encryption of contact forms

So far, there are few to no warnings on this topic on abmahnungshilfe.de. However, it is to be expected that the number of warnings will also increase in this area and that some law firms or companies will make a business model out of it.

What to do in the event of a warning for violations of the DSGVO?

In general, as with any other type of warning, there are two ways to proceed. Either you try to come to an out-of-court agreement with the other party in a cost-saving way and get the matter off the table as quickly as possible, or you take legal action against the warning and defend yourself in order to defend against the warning. You should defend yourself if you have not committed any infringement and the warning seems unjustified; you should reach an agreement if you are aware of your infringement and want to limit the damage. In both cases, abmahnungshilfe.de can provide you with a suitable IT law specialist or business mediator.