Right of associations to take legal action against data protection violations is introduced (UKLAG)
The right of associations to take legal action against data privacy violations will come into force shortly upon publication in the Federal Law Gazette. The Federal Council approved the new law in its meeting on 29.01.2016. The right of associations to take legal action against data protection violations is all the more reason for companies to comply with data protection regulations – especially in the areas of advertising and address trading. Otherwise, in addition to fines from the supervisory authorities, there is now a threat of warnings or injunctions from consumer protection associations.
In addition to high costs, warnings or cease-and-desist actions can result in negative public coverage of the company if the consumer protection associations name the companies that have been warned off in their press releases. The right of action by associations for data protection violations exists against unlawful data processing committed by an entrepreneur in the collection or processing of personal data of consumers (Section 2 (2) No. 11 UKlaG) – insofar as they are carried out for purposes:
- of advertising,
- of market and opinion research,
- of the operation of a credit bureau,
- the creation of personality or/and usage profiles,
- of the address trade,
- other data trading or
- for comparable commercial purposes
It will not always be possible to draw a line between this and other data processing, so that the risk of warnings is much greater than for mere consumer protection. In the Act, the legislature for the first time adopts a provision that is intended to prevent any consumer association from being able to issue a warning notice. A list of associations that meet special requirements is drawn up (Section 4 (2) UKlaG). The Federal Ministry of Justice and Consumer Protection is to maintain the list of qualified institutions and be granted the right to monitor their activities (Section 4 (1) UKlaG). Whether such controls will be effective remains to be seen.
Despite various restrictions on the rights of consumer associations, companies will face a significantly higher risk of warnings for data protection violations in the future. The high relevance of compliance with data protection regulations arises above all against the backdrop of the approaching General Data Protection Regulation, which will bring multiple changes to data protection law and stipulate fines of up to €20 million. The amended UKlaG remains unaffected by the new EU law (Art. 76 (2) GDPR). The sanctions against data protection violations will become so severe that an adjustment of the company’s data protection organization is urgently recommended.
If you have any questions about this topic, please contact Dr. Drewes at We are also happy to conduct in-house training on the General Data Protection Regulation. Contact us for a no obligation quote.