The European Data Protection Board (EDPB : European body that watches over the consistent application of data protection rules throughout the European Union) issued a set of guidelines on the concept of controller in the GDPR in September 2020.
When talking about joint controllers the EDPB mentioned the example of an online booking platform. To the EDPB it is clear that all participants in this platform are joint controllers. So if a retailer on the platform is in breach with GDPR, the platform operator can also be liable for the breach by this retailer.
How the liability will be distributed will have to be decided on a case by case basis.
Naturally the marketplace/platform operators are concerned by this guideline. They typically spent a whole lot of Euro’s/Pounds/Dollars on GDPR compliance, so they don’t want to end up being fined because a local fashion shop/hotel/design store/… on their platform didn’t put in the GDPR effort.
Platform operators are getting even more nervous when they connect the EDPB guideline with the Google Spain Decision of the European Court that may imply that whenever the platform operator is able to prevent infringement of data protection laws, they should do so, either by persuading their platform participant to demonstrate compliance with their data protection obligations, or by removing the unwilling platform participant.
In sum : if marketplace and platform operators want to shield themselves from GDPR claims and fines, they will need to start asking platform participants for proof of GDPR compliance and may even go so far as to refuse any retailer who didn’t put in the GDPR effort.