BGH recognizes first provisions of the GDPR as market conduct rules

In its rulings of March 27, 2025 (Ref. I ZR 186/17, I ZR 222/19 and I ZR 223/19), the German Federal Court of Justice (BGH) qualified specific provisions of the General Data Protection Regulation (GDPR) as market conduct regulations within the meaning of Section 3a of the German Act against Unfair Competition (UWG) for the first time.

This classification has considerable relevance for the assessment of data protection violations from the perspective of competition law, as the Federal Court of Justice emphasized in 2009 (case no. I ZR 152/07) that it is not the task of unfair competition law to sanction all legal violations in a business context under competition law – even if these are accompanied by a competitive advantage.

A. Previous decisions of the ECJ

The current national decision was preceded by a series of questions referred to the European Court of Justice (ECJ). In particular, the ECJ was asked the fundamental question of whether the provisions of the GDPR exclude the applicability of national competition law provisions.

In its judgment of October 4, 2024 (Case C-21/23), the ECJ clarified that the GDPR does not preclude national provisions “which – in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcing that regulation and the legal remedies available to data subjects – grant competitors of the alleged infringer of personal data protection rules the power to bring proceedings against the infringer for infringements of the GDPR before the civil courts on the basis of the prohibition of unfair commercial practices”

The ECJ justified this view with the lack of an explicit exclusion provision within the GDPR that would prohibit civil law claims by competitors. Nevertheless, the Court emphasized that the GDPR should not be qualified as a blanket market conduct regulation. Rather, it is up to the national courts to examine on a case-by-case basis whether a specific GDPR provision is to be regarded as a market conduct rule within the meaning of Section 3a UWG in terms of its content and purpose.

In proceedings C-319/20 and C-757/22, the ECJ also specified that associations may be entitled to bring an action pursuant to Art. 80 GDPR even without an express mandate and irrespective of an individual infringement. It was also confirmed that the provision of data protection information within the meaning of Art. 13 GDPR constitutes data processing within the meaning of Art. 4 GDPR.

B. National interpretation by the BGH

According to press release no. 59/2025 dated March 27, 2025, the Federal Court of Justice has now determined for the first time at national level in the aforementioned proceedings that certain provisions of the GDPR – specifically Art. 12 para. 1 sentence 1 and Art. 13 para. 1 lit. c and e (case no. I ZR 186/17) and Art. 9 para. 1 (case no. I ZR 222/19 and I ZR 223/19) – have the character of market conduct rules within the meaning of Section 3a UWG.

a. Art. 12 para. 1 sentence 1 and Art. 13 para. 1 lit. c and e GDPR
The BGH justified the classification of these standards as relevant to market conduct by stating that
“Based on the economic importance of the processing of personal data for internet-based business models, the use of which is remunerated by the consumer with the disclosure of personal data, …. the data protection information obligations are of central importance. They are intended to ensure that the consumer is informed as comprehensively as possible about the scope and implications of this declaration of consent when making a demand decision, which is linked to consent to the processing of personal data, in order to be able to make an informed decision.”

Against this background, the BGH found that the breach of these data protection information obligations “also constitutes a breach of fair trading law in terms of the withholding of material information pursuant to Section 5a (1) UWG”.

b. Art. 9 GDPR
In the case of Art. 9 GDPR, the BGH again assumed a market conduct regulation, as the requirement of consent to the processing of personal data contained in Art. 9 GDPR “serves to protect consumers’ personal rights interests, especially in connection with their market participation”.

It also states that consumers should be free to decide “whether and to what extent they disclose their data in order to participate in the market and conclude contracts.

C. Conclusion

With its recent case law, the Federal Court of Justice has for the first time classified three specific provisions of the General Data Protection Regulation – Art. 12 para. 1 sentence 1, Art. 13 para. 1 lit. c and e as well as Art. 9 para. 1 GDPR – as market conduct rules. The decision is largely based on the BGH’s classification that personal data is an economically relevant resource in digital business transactions, the legal protection of which can also have implications under unfair competition law.

Nevertheless, the judgments cannot be applied across the board to all provisions of the GDPR. In future, it will still be necessary for the national courts to examine each individual case to determine whether the content and function of the specific infringed provision qualifies as a market conduct rule within the meaning of Section 3a UWG.

The central dogmatic objection to the sanctioning of data protection violations under competition law remains the different objectives of data protection law and fair trading law. The GDPR primarily aims to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data (Art. 1 para. 2 GDPR). In contrast to traditional market conduct standards, it therefore often lacks a direct link to competition-related behavior.

Nevertheless, with its recent rulings, the Federal Court of Justice has clearly encouraged the possibility of civil claims by competitors for data protection violations. An increase in corresponding lawsuits is therefore to be expected.

This means that companies urgently need to comply with their data protection obligations with great care, also with regard to competition law. This applies in particular to the handling of special personal data within the meaning of Art. 9 GDPR, for example in the healthcare sector.

A transparent and GDPR-compliant privacy policy and data protection practices are key prerequisites for effectively protecting yourself against attacks under fair trading law.