In our December newsletter, you will find the following topics: |
|
|
|
|
|
Operator online marketplace is controller for advertisement data |
On 2 December 2025, the Court of Justice of the European Union (CJEU) ruled in a case concerning the role of online marketplace operators under the GDPR for advertisements containing personal data.
The case concerned the Romanian online marketplace Russmedia. A third party placed a misleading advertisement on Russmedia’s platform, suggesting that a woman was offering sexual services. The advertisement was published without her consent and contained photos and contact details of the woman. Russmedia removed the advertisement from its platform following a report by the woman, but by that time the advertisement had already been picked up and copied by other websites.
The CJEU emphasises that the advertisement contained personal data and, insofar as it relates to sexual behaviour, contained special categories of personal data within the meaning of Article 9(1) of the GDPR. The publication of such data is prohibited unless an exemption applies within the meaning of Article 9(2) of the GDPR, such as the explicit consent of the data subject.
The CJEU ruled that a operator of an online marketplace on which advertisements containing personal data can be published qualifies as a joint controller with the advertiser. As such, the operator is responsible for ensuring the lawfulness of that processing in line with the GDPR. According to the CJEU, this means that the operator of an online marketplace must check whether an advertisement contains the special categories of personal data prior to its publication on its platform, and if so, whether the advertiser is also the data subject. If this is not the case, publication must be refused, unless the advertiser can prove that the data subject has given their explicit consent for publication.
According to the CJEU, platform operators cannot invoke the liability limitations set out in Articles 12 to 15 of the E-Commerce Directive to alleviate non-compliance with their obligations pursuant to the GDPR. The protection sought by the E-Commerce Directive may not, under any circumstances, undermine the requirements of the GDPR.
In response to this judgment (which, given its far-reaching consequences, has caused quite a stir), operators of online marketplaces will have to determine whether and how they can make prior checks and identity verification possible and implement effective security measures. Failure to comply with these obligations may result in liability and claims for damages. |
|
|
|
| |
|
|
AP launches data security inspections in healthcare sector |
On 3 December 2025, the Dutch Data Protection Authority (DDPA) announced that it will be conducting unnanounced visits to healthcare providers in the coming months to inspect their handling of patients' medical personal data. During these visits, the DDPA will not only review GDPR-compliance, but also provide information on how best to implement compliance measures. The DDPA will focus in particular on hospitals, GP practices and other healthcare institutions.
The trigger for these inspections is the large number of data breaches in the healthcare sector. In 2024, the DDPA received more than 6,800 reports of data breaches from healthcare organisations. The sector is also an attractive target for cybercriminals, who regularly threaten to publish or sell sensitive information if no ransom is paid. A recent example is the hack at the Clinical Diagnostics laboratory, which processed medical data for demographic research.
The DDPA observed that many healthcare organisations have not yet got their security in order and that things regularly go wrong when exchanging patient data. Health data are special categories of personal data and therefore require extra protection and safeguards. Healthcare providers must ensure that only practitioners and authorised employees have access to medical records and that this access is actively monitored. In addition, they must take appropriate technical and organisational measures to protect this personal data against unauthorised access by unauthorised persons and other data breaches.
For healthcare providers, this means that they must critically evaluate their security policy and the measures taken and tighten them where necessary. Failure to comply with the GDPR can lead to significant risks for patients and enforcement measures, including fines. The DDPA emphasises that compliance with legal standards is not optional and that it wants to help organisations implement improvements which endorse compliance. |
|
|
|
| |
|
|
EDPB publishes recommendations on mandatory accounts in e-commerce sector |
On 3 December 2025, the European Data Protection Board (EDPB) published recommendations for consultation on mandatory user accounts on e-commerce websites. The recommendations clarify when it is and is not permitted to mandate consumers to create an account to purchase products or services online.
The EDPB notes that controllers in the e-commerce sector often invoke the performance of a contract, compliance with a legal obligation or a legitimate interest as a ground for mandating the creation of a user account. In practice, however, the processing of account data usually does not meet the objective necessity to successfully invoke any of these legal bases.
Only in specific cases, such as subscription services or to gain access to exclusive offers, could the mandatory creation of an account be considered objectively necessary for the performance of the contract. For one-off purchases, the processing of personal data can also be carried out without an account, for example by means of a guest mode.
The EDPB emphasises that the mandatory creation user accounts open the door to significant privacy risks, including excessive long-term storage of personal data, an increased risk of data breaches, and unauthorised tracking and profiling. According to the EDPB, e-commerce traders could be in violation of the principles of data minimisation and storage limitation, and the obligations of privacy by default and privacy by design by allowing these risks to persist.
The EDPB recommends e-commerce traders to always offer a choice between creating a user account or concluding the purchase as a guest. This is the most privacy-friendly option and contributes to transparency and compliance with the GDPR, according to the EDPB.
Stakeholders can respond and provide feedback on the EDPB's draft recommendations until 12 February 2026. |
|
|
|
| |
|
|
Regulation on procedural rules for GDPR enforcement published |
On 12 December 2025, Regulation (EU) 2025/2518 laying down additional procedural rules concerning the enforcement of the GDPR was published in the Official Journal of the European Union (the Regulation). The Regulation introduces uniform procedures for the enforcement of the GDPR in cross-border processing operations.
The new rules supplement the existing rules on cooperation and consistency between supervisory authorities set out in Articles 60 to 66 GDPR. The aim is to improve cooperation between national supervisory authorities and the EDPB and to increase legal certainty for data subjects and controllers.
The Regulation includes deadlines for handling complaints and exchanging information between supervisory authorities. Complaints must be forwarded to the lead supervisory authority within six weeks. A draft decision must be submitted by the lead supervisory authority to the other supervisory authorities involved within fifteen months. For complex cases, this period may be extended by up to twelve months.
The Regulation also introduces a procedure for early settlement of complaints where the alleged infringement has ceased, and a simplified cooperation procedure for less complex investigations.
The Regulation also contains safeguards for the right to be heard. Parties must be able to express their views on preliminary findings and draft decisions prior to a final decision. Furthermore, uniform requirements are imposed on relevant and reasoned objections from supervisory authorities and on the dispute resolution procedure by the EDPB. The rules also provide for access to the administrative file, with protection of trade secrets and other confidential information.
The Regulation furthermore provides detailed rules for complaint handling and communication between data subjects and the supervisory authorities.
The Regulation will enter into force on 2 April 2027. From then on, organisations covered by the one-stop-shop mechanism will have to take into account the new procedures for cross-border enforcement. |
|
|
|
|
|
|
|
DDPA warns against personal data transfers to China by TikTok |
On 16 December 2025, the DDPA published a warning about the ongoing transfers of personal data from TikTok users to recipients outside the EU, including China. The transfers are occurring despite a recent decision by European supervisory authorities that the transfers are in breach of the GDPR.
The background to this warning lies in a previous ban imposed by the Irish Data Protection Commission (DPC) on TikTok to continue the transfers. The decision of the Irish DPC was adopted by the EDPB through the consistency mechanism. According to this ruling, TikTok's transfers do not comply with the GDPR, which states that the transfer of personal data is only permitted if appropriate safeguards are in place.
Although the Irish court has suspended the prohibition imposed by the Irish DPC until a ruling has been made in the case, the supervisory authorities' ruling that the transfers are unlawful remains in force. TikTok has recently started displaying a notification to users explaining what data it collects and how it is uses this data.
The DDPA emphasises that transfers to countries such as China pose risks to the privacy of those involved. Outside the EU, the safeguards provided by the GDPR do not apply, which means that those involved have little control over their data. Young people in particular are often insufficiently aware of these risks.
The DDPA advises that users of TikTok check their privacy settings, to refrain from sharing sensitive information and to reconsider continued usage of the platform under these circumstances. The AP calls on organisations that use TikTok for processing or marketing purposes to carry out a DPIA and to be transparent about the risks to their target groups. |
|
|
|
|
|
|
|
Marc Elshof
attorney-at-law | partner
T: +31 70 376 06 87
M:+31 6 46 37 61 08
marc.elshof@barentskrans.nl
|
|
|
|
|
Job Julicher
attorney-at-law
T: +31 70 376 08 10
M:+31 6 27 42 99 77
job.julicher@barentskrans.nl
|
|
|
|
|
Julius Louter
attorney-at-law
T: +31 70 376 06 40
M:+31 6 15 43 37 52
julius.louter@barentskrans.nl
|
|
|
|
|
|
BarentsKrans
The Hague | Amsterdam
+31 70 376 06 06
communicatie@barentskrans.nl
www.barentskrans.nl |
|
|
|
| |
|
|
|
