Global menu

Our global pages


Consumer protection associations can now also take legal action against personal data breaches

  • Germany
  • Litigation and dispute management
  • Privacy, data protection and cybersecurity



Please find our First Aid Flyer here.

With its decision dated 28 April 2022, the European Court of Justice (ECJ) has confirmed that also consumer protection associations have the right to sue if they intend to claim personal data breaches. This has so far only been possible for the data subjects themselves and will from now on also be possible irrespective of a specific damage event or instruction by the data subjects. This considerably increases the risk for companies with a strong public visibility and/or web presence. You can find the entire decision here.

In the following, we would like to summarise the consequences of this decision and give answers to the most important questions.

Key messages of the ECJ

– The subject-matter of the decision was an action for a cease-and-desist order by the Federation of German Consumer Organisations (Bundesverband der Verbraucherzentralen und Verbraucherverbände, VZBV) against a large social media provider.

– The German Federal Supreme Court (Bundesgerichtshof, BGH) had doubts regarding the admissibility of an action filed by the VZBV. The BGH was of the opinion that actions based on a breach of the General Data Protection Regulation (GDPR) by an association would only be possible in case of a specific breach of data subject rights.

– With its decision, the ECJ now confirmed the right for associations to bring an action. According to the court, the objective is to defend the interests of the general public against relevant breaches of data protection law. Hence, the protection of the individual is in the foreground, as intended by the GDPR.

The decision from a procedural perspective

1. Consumer protection

– Up to now, individual consumers reported possible data protection breaches or even initiated court proceedings only in rare cases. From now on, consumer association can take over this unpleasant task for the consumers. The consumers' effort required to pursue a personal data breach hence considerably decreases.

– At the same time, we expect that the consumer associations' entitlement to bring an action will lead to an increased number of court proceedings.

2. Competition

– Companies are now in a position to – indirectly – pursue personal data breaches of a competitor. For instance, it is now possible for companies to directly report possible breaches of competitors to the Centre for Protection against Unfair Competition (Wettbewerbszentrale) and to have these enforced in court by the latter.

– Besides, a similar development could be observed within the framework of the German Act on Injunctive Relief (Unterlassungsklagengesetz, UKlaG). The locus standi of associations has led to the fact that the use of invalid general terms and conditions has since been increasingly admonished and may even be pursued in court.

Relevance for companies and next steps

1. Who is affected by the decision?

– In principle, this decision concerns all companies. However, it can be expected that associations will now particularly take a closer look at breaches of the GDPR by large global companies.

– Specifically online shops and companies in B2C trade tend to attract the interest of consumer associations.

– We expect that in particular privacy notices and cookie banners as well as consent forms (e.g. for newsletters) as publicly available documents will be in the focus of the consumer associations.

2. What should be the next steps?

– We recommend quickly reviewing the publicly available privacy notices.

– Cookie banners will now even more be in the focus. We urgently recommend considering the guidelines of the Data Protection Conference (Datenschutzkonferenz), since the consumer protection associations will regard these as "gold standard".

– Marketing informed consent forms should be reviewed in particular with respect to their comprehensibility and completeness.

3. How we can help:

– Please use our First Aid Checklist with practical examples in order to gain a first overview of frequent pitfalls and mistakes.

– Our Data Protection Team will be happy to assist you with the review of your webpages, in particular your privacy notices and cookie banners as well as your marketing communication.

4. Outlook and recommendation

– It can so far only be speculated to which extent consumer associations will now pursue and enforce personal data breaches. However, it is to be expected that the number of court proceedings regarding non-compliance with the GDPR regulations will increase.

– Against this background, all companies are urgently recommended reviewing their data protection provisions with respect to compliance with the GDPR regulations. Only in this way, cost-intensive and lengthy court proceedings can be avoided. It should be widely known that such proceedings may also have negative effects on a company's reputation.