GDPR warnings: Handling data protection violations
There has been uncertainty since the new EU GDPR entered into force in May 2018. Although bloggers, associations, and companies have had two years to implement the guidelines, not all have done so comprehensively. The consequences are GDPR warnings and horrendous fines. Last year, experts already feared that a wave of warnings was on its way. But did it really come to that? What does the current legal situation look like? And what can you do if you have a warning letter in your mailbox?
The General Data Protection Regulation is and will remain new territory
At least at this point. Both experts and courts disagree on many points. Nevertheless, companies are faced with the question: When do you have to worry that a warning letter might be on its way?
- On the one hand, you may be sued by the supervisory authority if you fail to implement the guidelines.
- On the other hand, there is the possibility of a GDPR warning if you gain a competitive advantage over your competitors through a violation.
Those who do not implement the data protection guidelines correctly can expect fines. This is a fact that cannot be denied. If you are unsure whether you have acted in accordance with the guidelines, we recommend our GDPR checklist. You will find all the necessary information on this subject there.
Examples of GDPR warnings
- Missing privacy statements
If you have a website, you are obliged to publish a privacy statement on your website in accordance with the EU General Data Protection Regulation. This must be clearly formulated and easy to understand. It is primarily intended to inform users. You tell readers that you are processing personal data, how you do it and for what reason. It is also relevant that the right to be deleted and forgotten is clearly communicated. If the privacy statement is incorrect or does not exist, you can expect a GDPR warning. Important: Be sure to use plug-ins that conform to data protection regulations. This way you will always be on the safe side.
- Inadequate encryption
More and more companies are adding contact forms to their websites. They are very practical for answering customer questions or making online appointments. However, it becomes problematic if there is not sufficient security protection. Therefore, make sure that you use the appropriate encryption. After all, your customers enter personal data such as their name, address, telephone number, etc.
What can you do to protect yourself against GDPR warnings?
First and foremost, you must abide by the existing Federal Data Protection Act and comply with both its guidelines and specifications.
Website operators, for example, should pay attention to the following:
- Legally compliant privacy statement
- Encrypted contact forms
- Check plug-ins and tools before use
Large companies generally have to struggle with increasingly complex processes. The more extensive the structures, the greater the effort to ensure the protection of personal data. In general, we recommend that you carry out an external data protection officer comparison if you do not have internal specialists. They will actively assist you in the implementation of the following points:
- Contract processing agreement with third parties
- Privacy statement
- Staff trainings
- IT measures
- Directory of processing activities
- Privacy impact assessment
Small and medium-sized enterprises can also obtain support through a data protection kit. Besides a lot of information and forms, this package also comes with an external data protection officer. In order to prevent GDPR warnings and to implement the data protection directive correctly, however, we recommend that large corporations perform a data protection software comparison.
What is the current legal situation?
The new EU GDPR came into force on May 25, 2018 and on the next day various lawyers already began sending warnings to companies. The reason: No privacy statement, or an incorrect one, on the website. The company’s competitors were often behind it. The question therefore arose as to whether competitors were even allowed to resort to this measure and whether these GDPR warnings were legally binding. The fact is: For a longer period of time, experts couldn’t reach a solid conclusion on this topic. The court rulings only came months later. Nevertheless, we cannot say that the legal situation has been clarified without exception. The following case studies show this:
Würzburg Regional Court: Case no. 11 O 1741/18, August 13, 2018
This case involved a lawyer who did not have a detailed privacy statement on her website. She received a warning and went to court. As the first instance, the Würzburg Regional Court decided that this was a GDPR warning under competition law. A seven-line privacy statement was not sufficient according to this ruling.
Bochum Regional Court: Case no. l-12 O 85/18, August 7, 2018
This is a legal dispute between an online shop operator and one of its competitors. The latter claimed that the owner of the shop had not included certain clauses in the general terms and conditions and that there was also a lack of mandatory information. This was followed by a warning alleging GDPR violations. The court in Bochum, however, rejected the warning, since competitors were not meant to take these measures. It referred above all to the notion that there was no right to an injunction by competitors even in the event of a breach of the duty to provide information.
Hamburg Higher Regional Court: 3 U 66/17, October 24, 2018
This was based on the fact that patients were not given the option to consent to data processing. This related to an order form of a pharmaceutical company. According to a competitor, this did not comply with the EU General Data Protection Regulation. The court agreed. Once again, this affirmed the ability of competitors to issue warnings, but on the premise that the decision would always be made on a case-by-case basis.
Two further judgments followed:
- Wiesbaden Regional Court: Case No. 5 O 214/18, November 5, 2018:
- This states that GDPR violations must not be punished with warnings under competition law.
- Magdeburg Regional Court: January 18, 2019:
The court also ruled that competitors may not issue warnings to each other.
The legal situation therefore remains unclear. In order to be absolutely sure that you will not receive any GDPR warnings, you should always be careful to adequately implement both the General Data Protection Regulation and the Federal Data Protection Act. In this way, you will not be able to give any supervisory authorities or competitors the opportunity to issue warnings against you.