The EDPB provides clarity
The European Data Protection Board (EDPB) has issued guidelines on the concept of controller under the GDPR. A key element: the clarification of joint controllership on online marketplaces.
The example cited by the EDPB is clear: when a platform and its participants jointly determine how customer data is processed, they are joint controllers. This applies to B2C marketplaces, but equally to B2B platforms.
What does this mean for B2B businesses?
If you sell products or offer services through a B2B platform - such as bol.com business, Amazon Business, or a sector-specific marketplace - you may be a joint controller with that platform.
This has concrete consequences:
1. You share responsibility
If something goes wrong with customer personal data on the platform, you as a participant can be held accountable - not just the platform.
2. You need an agreement
The GDPR requires joint controllers to set out in an agreement who is responsible for what. Check whether the platform’s terms cover this.
3. Your own compliance must be in order
The platform may impose requirements on your privacy policy, processing register, and security measures. Without these in place, you could be excluded from the platform.
The trend is clear
The direction of European regulation is unmistakable: businesses cannot hide behind platforms. Everyone in the chain involved in processing personal data bears responsibility.
For B2B businesses operating through platforms, the advice is: ensure your own GDPR compliance is solid, and verify what arrangements the platform makes regarding joint controllership.
GDPRWise helps you get your processing register, privacy policy, and processing agreements in order.