How does the GDPR impact your marketplace ?

24 March 2021

Business Insight

Since 25 May 2018, businesses collecting and processing personal data online have had to abide by the General Data Protection Regulation (GDPR). If you are based in the European Union or have clients who are, you need to comply with this text. Aiming to standardise European legislation and consolidate user rights, the GDPR directly affects marketplaces. How can you make sure you’re following the rules? Here are our tips.

GDPR: definition

First name, surname, email address, IP address, bank details, phone numbers… Under the GDPR, any collected and/or stored information that identifies an individual is deemed to be personal data. This European law aims to guarantee more citizen rights when it comes to personal data:

  • Right to consult
  • Right to correct
  • Right to restrict data use
  • Right to object
  • Right to delete

Appraising existing data processing, creating a register of processing activities, undertaking a privacy impact assessment (PIA), introducing a security framework, safeguarding contractual relationships with partners, appointing a Data Protection Officer (DPO)… To abide by the GDPR, you need to introduce certain processes to reinforce the duties and responsibilities of all data processing stakeholders. And it’s important to take these rules seriously. Fail to comply with the GDPR, and a company could be fined up to 20 million euros or 4% of its global turnover.

Also read: Is your marketplace payment system compliant with regulations?


Marketplace and GDPR: how to make sure you’re in line?

Marketplaces have to process personal data in order to facilitate transactions between buyers and sellers. To abide by the GDPR, marketplace operators should first make sure they get consent from users to process their personal data. A simple and unequivocal phrase should be used. You must tell users which types of data are collected and the reasons why, explaining what it will be used for. Marketplace operators should also be able to prove that informed consent has been given freely, so no pre-ticked boxes are allowed. Good practice:

  • Keep an updated register of data processing activities, indicating which categories of data about which categories of people (prospects, clients) are processed and why
  • Appoint a Data Processing Officer (DPO): someone to ensure the GDPR is being properly applied at the company
  • Communicate with users about changes to your data processing policy
  • Make sure sellers are also complying with the GDPR by making provisions in the platform’s terms and conditions, and in the intermediary contract

Also ensure your business ecosystem is secure. At the very least, marketplace operators are responsible for jointly processing personal data with third-party services on the platform. Given that the GDPR has made stakeholders more responsible, you need to make sure your subcontractors are following its rules.

Also ensure your platform payment service provider (PSP) is abiding by it. Lemonway is a pan-European payment business that has introduced all the measures required to comply with the GDPR and its interpretations in each nation of the European Union. GDPR, PSD2, AML/CFT… Partnering with business to ensure conformity, Lemonway is at the forefront of legislation compliance. Contact us to learn more!


3D-Secure v2 - what are the impacts for your marketplace?