Changeflow GovPing Data Privacy & Cybersecurity CJEU Rules Online Marketplaces Are GDPR Data Co...
Priority review Notice Added Final

CJEU Rules Online Marketplaces Are GDPR Data Controllers

Favicon for www.dataprotection.ro Romania ANSPDCP
Detected
Email

Summary

Romania's National Supervisory Authority for Personal Data Processing reported that the Court of Justice of the European Union ruled that online marketplace operators qualify as GDPR data controllers for personal data processed in connection with transaction operations. The ruling clarifies that platforms facilitating third-party sales cannot escape data controller obligations by characterising themselves as mere intermediaries or hosting providers.

Why this matters

Online marketplace operators across the EU should treat this CJEU ruling as definitively establishing their data controller status under GDPR, regardless of how they have previously characterised their role. Affected platforms should audit their existing compliance programs against the full range of controller obligations: legal basis documentation, data subject rights procedures, Records of Processing Activities, and data processing agreements with third-party sellers should be reviewed and updated to reflect this clarified controller status.

AI-drafted from the source document, validated against GovPing's analyst note standards . For the primary regulatory language, read the source document .
Published by ANSPDCP on dataprotection.ro . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .
View original document View source feed page

What changed

The CJEU determined that operators of online marketplaces are data controllers under GDPR Article 4(7) for personal data processing linked to marketplace transactions. This interpretation confirms that platforms cannot avoid GDPR controller obligations by characterising their services as neutral hosting or intermediary functions.\n\nOnline marketplace operators must now ensure full GDPR compliance as data controllers, including establishing lawful legal bases for processing, maintaining records of processing activities, handling data subject requests, and implementing appropriate technical and organisational security measures. Platforms that rely on third-party sellers to manage their own compliance may need to revise their contractual arrangements and data-sharing practices.

Archived snapshot

Apr 20, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

The National Supervisory Authority For Personal Data Processing

Mentioned entities

General Data Protection Regulation

Related changes

Favicon for www.dataprotection.ro Roumasport Fined €10,000 for GDPR Breach
Urgent Apr 20, 2026 Romania ANSPDCP Data Privacy & Cybersecurity
Favicon for www.dataprotection.ro Fine 15,000 Lei for Violation of Law 506/2004 (Cookies)
Priority review Apr 20, 2026 Romania ANSPDCP Data Privacy & Cybersecurity

Get daily alerts for Romania ANSPDCP

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.dataprotection.ro
Romania ANSPDCP dataprotection.ro/index.jsp?page=Home&lang=en
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from ANSPDCP.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
ANSPDCP
Instrument
Notice
Branch
Executive
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies
Industry sector
5112 Software & Technology
Activity scope
Data processing Marketplace operations Consumer transactions
Geographic scope
European Union EU

Taxonomy

Primary area
Data Privacy
Operational domain
Compliance
Compliance frameworks
GDPR
Topics
Consumer Protection Intellectual Property

Browse Categories

Agriculture & Food Safety 73 Banking & Finance 406 Consumer Protection 89 Courts & Legal 411 Data Privacy & Cybersecurity 89 Defense & National Security 53 Education 55 Energy 100 Environment 151 Gaming 2 Government & Legislation 430 Healthcare 15 Healthcare & Life Sciences 375 Immigration 10 Insurance 75 Labor & Employment 132 Pharma & Drug Safety 21 Professional Licensing 7 Real Estate & Housing 77 Securities & Markets 153 Tax 78 Telecom & Technology 50 Trade & Sanctions 141 Transportation 91

Get alerts for this source

We'll email you when Romania ANSPDCP publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!