For years, it was disputed whether violations of the General Data Protection Regulation (GDPR) could be pursued by competitors under the German Unfair Competition Act (UWG). The question was particularly relevant for online businesses, where data-driven marketing and automated processing are part of everyday operations.
This legal uncertainty has been fully resolved.
CJEU and BGH: Competitors may send warnings for GDPR violations
In its landmark judgment of 4 October 2024 (C-21/23), the Court of Justice of the European Union held that GDPR infringements can constitute unfair commercial practices — and therefore give competitors standing to pursue them under national competition law.
The German Federal Court of Justice (BGH) confirmed this approach shortly afterwards in the judgements of 27 March 2025 (I ZR 222/19and I ZR 223/19).
As a result, companies must expect that data protection violations may lead not only to regulatory fines, but also to competitor warnings, injunctions and court proceedings.
Why GDPR Violations Can Be Targeted by Competitor Warnings
Data protection rules are not only designed to protect the privacy of individuals — they also have a direct impact on competitive fairness. When a company processes personal data unlawfully, it may gain advantages over compliant competitors, for example by obtaining more marketing data, saving compliance costs or collecting customer information without valid consent.
Following the 2024 CJEU judgment (and its confirmation by the BGH in 2025), competitors may warn and pursue businesses that violate the GDPR, provided the violation also constitutes an unfair commercial practice under the UWG.
When is a GDPR violation “competitively relevant”?
A GDPR breach becomes relevant under unfair-competition law where it does more than merely infringe data protection rules in the abstract: it must also affect market behaviour and confer a tangible advantage on the infringing company. In practice, this is the case if a GDPR violation forms part of a commercial practice under the UWG and enables the infringer to advertise more aggressively, collect or exploit more data than its competitors, or present itself in a way that misleads customers about how their data is handled.
Typical GDPR Violations That Competitors Can Warn Against
GDPR infringements occur in many forms. The following types of violations are frequently the subject of competitor warnings and court proceedings:
1. Missing or invalid consent (Opt-in requirements)
Processing personal data without a valid consent mechanism is one of the most common violations. Examples include:
- Newsletter sign-ups without proper Double-Opt-In
(CJEU and BGH case law requires a verifiable Double-Opt-In process.) - Use of tracking or marketing cookies without active Opt-In
A simple “cookie banner” without granular choices is insufficient. - Consent boxes pre-ticked or hidden in the checkout process
This is invalid and constitutes both a GDPR and UWG violation.
2. Defective or incomplete privacy notices
Companies may be warned if:
- essential information is missing (purposes, legal bases, retention periods, recipients),
- the use of analytics or plug-ins is not transparently disclosed,
- the privacy notice is outdated or factually wrong.
A frequent issue: plug-ins such as YouTube, Meta Pixel, social media widgets or embedded maps are active before consent is obtained, and this is not explained to users.
3. Using plug-ins, tracking tools or analytics without a legal basis
Examples include:
- Google Analytics or GA4 implemented without Opt-In
- Meta Pixel firing before consent
- embedded videos or social media buttons transmitting user data immediately on page load
- session-recording tools not disclosed in the privacy notice
Such violations are highly visible to competitors and therefore frequently abmahnfähig.
4. Unlawful collection of customer data in the ordering process
- collecting more customer data than necessary
- storing data longer than permitted
- passing personal data to third parties without legal basis
- using order data for advertising purposes without consent
These violations not only breach the GDPR but also distort market competition.
5. Unlawful e-mail advertising
Sending marketing e-mails without a valid Opt-In is a classic and high-risk violation.
Exceptions (e.g., “existing customer privilege”) are often misapplied and therefore provide fertile ground for competitor warnings.
6. Missing privacy notice altogether
Even today, some websites or online shops lack a compliant privacy notice. Courts have repeatedly held that this constitutes a market-related violation and is therefore subject to competitor warnings.
7. Copying a privacy notice from another website
Businesses face warnings because their privacy notice has been:
- copied from another provider,
- obviously mismatched to their own processing activities, or
- used without permission (which may trigger copyright claims in addition to GDPR/UWG issues).
How a GDPR Competitor Warning Works
- Legal assessment
We analyse the identified practice and examine whether a GDPR violation exists that also qualifies as an unfair commercial practice.
- Warning letter (Abmahnung)
We prepare a legally sound warning, request a cease-and-desist declaration and set a short deadline.
- Temporary injunction
If the competitor does not comply, we file for an injunction with the competent court — usually within days.
- Main proceedings
If necessary, we pursue a full claim for injunctive relief, removal and damages.
Your Legal Support for GDPR-Based Competitor Warnings
With our support, you can rely on:
As specialised attorneys in competition law, we help companies enforce their rights swiftly and effectively when competitors disregard GDPR obligations and gain unlawful advantages in the market.
- Rapid action: GDPR violations must be stopped immediately. We prepare and send a legally sound warning without delay.
- Effective enforcement: With many years of experience in competition litigation, we enforce your rights efficiently.