What actually changed

For years the working assumption in many German companies was simple. Data-protection enforcement came from two directions: the supervisory authorities, who could investigate and fine, and the affected individuals, who could complain or claim damages. Competitors sat outside that circle. That boundary has now moved. The anchoring decision is the EuGH Lindenapotheke judgment (C-21/23) of 4 October 2024, which held that a breach of GDPR rules can also be pursued as an unfair-competition violation under the German UWG. It was carried into German practice by the Bundesgerichtshof follow-through of 23 January 2025 (I ZR 222/19), and it is the current June 2026 business coverage that has put it in front of the wider Mittelstand.

The practical shift is that a competitor can now treat your data handling as a market-conduct matter and issue an Abmahnung, a formal cease-and-desist demand backed by the threat of an injunction. The original case concerned a pharmacy selling non-prescription but pharmacy-only medicines through a marketplace, but the reasoning is not confined to pharmacies. Any operator whose data practices are open to challenge now faces a party that is watching, is motivated, and has legal standing. We note that the anchor ruling is from October 2024 and that cost-reimbursement rules and case specifics can still shift, so the picture below is what to consider, not legal advice.

Why ordinary order data is the sharp edge

The part that should give owners pause is not the enforcement channel alone. It is what the courts treated as sensitive data. In the pharmacy case, the combination of a customer name, a delivery address and the specific product ordered was found capable of qualifying as health data, even though the items were not prescription-only. Health data sits in a stricter category under the GDPR, where the bar for lawful processing rises and, in many situations, explicit consent is expected. In other words, information that a business would see as a routine order record was treated as belonging to the most protected class of personal data.

The implication reaches well beyond pharmacies. A supplement retailer, a medical-supply shop, an optician, a fitness or wellness operator, or any e-commerce seller whose products can hint at a health condition may be handling data that courts could view the same way. That does not mean every online order is health data, and the exact line will be tested case by case. What it does mean is that the assumption of routine data no longer holds automatically, and a competitor now has both the standing and the incentive to argue the point.

What a considered owner reviews now

The measured response is not alarm, it is a short, honest audit before someone else runs it for you. Sensible questions to put to your team: what data do we collect at checkout and in our forms, on what legal basis, and would that basis survive scrutiny. Where consent is the basis, is it genuine, specific and documented, or is it buried in pre-ticked boxes and vague terms. Do our marketplace listings, cookie handling, tracking pixels and newsletter sign-ups match what our privacy notice actually promises. These are the seams a motivated competitor, or their lawyer, would probe first.

It is worth keeping the cost picture in proportion. Under the UWG, reimbursement of a competitor's warning costs is restricted where the demand rests on a GDPR breach, which softens one financial lever. But the cease-and-desist itself, the injunction risk, the legal fees on your side and the disruption remain very real, and appeal or clarification on the finer points may still come. The prudent move is to treat your data-protection posture as a competitive exposure, not only a regulatory box, and to close the obvious gaps before a rival makes them your problem.