GDPR and Online marketplaces

The European Commission wants Online marketplaces to take an active role in confirming the compliance levels of its platform participants.

The Covid pandemic boosted E-commerce throughout the EU and the world. This heightened activity also reinvigorated the desire of legislators and regulators to assure the rights of EU citizens in the E-commerce ecosystem.

The European Commission committed themselves to update the rules that define the responsibilities and obligations of providers of digital services, and online platforms. It formulated the Digital Services act, where online platforms oblige themselves to organise their interface in a way that enables traders to respect Union consumer and product safety laws.

So EU law mandates that online platforms enable specific compliance functionalities. Consequently, this changes the way platforms operate. Let’s take GDPR compliance as an example.

GDPR has built in chain responsibility. This means that all of the parties in a data processing chain can be individually held liable for any wrongdoing by any of the parties. Therefore, this results in the exposure of the larger parties.

To date, platform operators have addressed their GDPR chain liability merely by inclusion of contractual clauses in the merchant agreement. In conclusion the merchants state to be compliant, and by provisions to indemnify the platform.

This approach does not provide the necessary cover as desired by the Digital Services act and the platform operator is demanded to take an active role in confirming the GDPR compliance levels of its platform participants.

In short GDPR compliance is a reality for all economic actors. Not only the platform’s own compliance, but also the compliance of its business partners.

The Digital Services act – GDPR and Online marketplaces

The European Commission launched the ambitious Digital Services act (DSa) in order to create a safer digital space where the fundamental rights of users are protected.

The DSa explicitly targets online platforms, because the European Commission firmly believes Europe requires a modern legal framework that ensures the safety of users online. This is to establish governance with the protection of fundamental rights at its forefront, and to maintain a fair and open online platform environment.

Article 22 of the DSa compels online marketplaces to actively check if retailers (the DSa refers to them as traders), are compliant with GDPR (in fact : to check if they are compliant with all the applicable laws of the European Union).
Above all, the online platform must also make the GDPR information available to the final customer, in a clear, easily accessible and comprehensible manner. Furthermore the online platform must design and organise its online interface in a way that enables retailers to comply with their obligations regarding GDPR, as pre-contractual information.

Most importantly, failure to comply with these obligations may incur fines running up to 6% of the annual turnover. Do note that these fines are additional to the GDPR fines already in place.

Don’t forget : online marketplace and retailers are joint controllers!

The European Data Protection Board (EDPB : The European body that watches over the consistent application of data protection rules throughout the European Union) pointed out, in their September 2020 guidelines, on the concept of controller in the GDPR, that the marketplace and its retailers are joint controllers. Guidelines 07/2020 on the concepts of controller and processor in the GDPR | European Data Protection Board (

When talking about joint controllers, the EDPB mentioned the example of an internet booking platform. To the EDPB it is clear that all participants in this platform are joint controllers, therefore joint controllers are jointly liable! So if a retailer on the platform breaches the rules with GDPR, the platform operator can also be liable for the breach by this retailer.

Given the earlier decision of the European Courts in the Google Spain case ( 62012CJ0131), this also signifies that if one of the joint controllers (in this case the online marketplace) can prevent infringement of GDPR, they should do so. This can be done either by persuading the retailer to comply with GDPR, or by disallowing the non-compliant retailer onto their platform.

To summarise : if marketplace and platform operators want to shield themselves from GDPR claims and fines, they need to ask for actual proof of GDPR compliance and need to refuse any retailer who didn’t put in the GDPR effort.

Therefore, a platform can get a GDPR fine as joint controller PLUS a DSa fine. It is also important to note that a German judge recently forced a website to be put offline for lack of a GDPR compliant privacy policy.

Conclusion – The Digital Services Act

Platform operators are being shanghaied into compliance enforcement. They will have to check whether their retailers are complying with the law and will therefore share the consequences if a retailer fails.

The platforms that enable their retailers to be compliant, in a simple and economic way, will have an advantage over the competition. Inevitably, the retailers will flock to these marketplaces, disregarding the platforms where they have to sort things out themselves.