eBay - GDPR - Legality of re-assigning Data Controllers?
posted 3 years ago
This question is concerned with the user privacy notice and practices of eBay, in particular its compliance with the European Data Protection Regulation 2016.
According to Article 27 (Representatives of Controllers or Processors not established in the union), section 3:
The representatives shall be established in one of the EU Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, are.
This means that any data processor must have a representative located physically within the EU and eBay must ensure that any third-party companies that they pass information to MUST have a representative within the EU, or they are failing their compliance with GDPR.
Ebay indicates that:
When you transact with another user, we enable you to obtain or we may provide you with the personal information of the other user (such as their name, account ID, email address, contact details, delivery and billing addresses) to complete the transaction. Independent from us, you are the controller of such data and we encourage you to inform the
other user about your privacy practices and respect their privacy. In All cases, you must comply with the applicable privacy laws, and must give the other user a chance to remove them from your database and give them a chance to review what information you have collected about them.
If eBay is functioning as the Data Controller, how can they legally transfer the role of Data Controller to a Data Subject?