Chapter 3|Due Diligence Obligations - Online Marketplaces|📖 8 min read
1. Providers of online platforms allowing consumers to conclude distance contracts with traders shall ensure that traders can only use their services to promote messages on, or offer products or services to, consumers located in the Union if, prior to the use of their services, the providers of online platforms have obtained the following information:
(a) the name, address, telephone number and electronic mail address of the trader;
(b) a copy of the identification document of the trader or any other electronic identification as defined by Article 3 of Regulation (EU) No 910/2014 of the European Parliament and of the Council;
(c) the payment account details of the trader, where the trader is a natural person; where the trader is not a natural person, the payment account details used by the trader shall also include the name of the holder of the payment account;
(d) where the trader is registered in a trade register or similar public register, the trade register in which the trader is registered and the trader's registration number or equivalent means of identification in that register;
(e) a self-certification by the trader committing to only offer products or services that comply with the applicable rules of Union law.
2. Providers of online platforms shall make best efforts to assess whether the information referred to in points (a), (d) and (e) of paragraph 1 is reliable, including, where applicable, by means of reliable, independent databases. Providers of online platforms shall verify at least the information referred to in points (a) and (c) of paragraph 1 against official databases, or by requesting relevant supporting documents from the trader.
3. Where a provider of an online platform obtains indications that any item of information referred to in paragraph 1 obtained from a given trader is inaccurate, incomplete or not current, that provider shall request the trader to remedy the situation without undue delay.
4. Where the provider of an online platform referred to in paragraph 1 is unable to obtain the information listed in that paragraph, or where that information is not remedied in accordance with paragraph 3, the provider shall not allow that trader to offer any products or services or to present any advertisement on its online platform.
5. Providers of online platforms shall store the information obtained pursuant to paragraph 1 in a secure manner for a period of six months after the end of the contractual relationship with the trader concerned. After the expiry of that period, they shall delete the information.
6. Without prejudice to paragraph 5, providers of online platforms shall, upon receiving a substantiated request by a competent authority or the Commission, provide that authority or the Commission, as applicable, with the information referred to in paragraph 1 in respect of an individual trader or traders, without undue delay and in accordance with the applicable data protection rules.
7. Providers of online platforms shall make the following information available to recipients of the service on their online interface, in a clear, easily accessible and comprehensible manner:
(a) the name, address, telephone number and electronic mail address of the trader;
(b) a summary of the key features of the products or services offered by that trader, to the extent that such information is not already displayed;
(c) where available, the information referred to in point (d) of paragraph 1.
8. The obligations laid down in this Article shall not affect any obligations under Directive 2005/29/EC of the European Parliament and of the Council, Directive 2011/83/EU of the European Parliament and of the Council, Regulation (EU) 2016/679, or sector specific rules on customer or buyer due diligence.
Understanding This Article
Article 30 establishes the DSA's 'Know Your Business Customer' (KYBC) framework for online marketplaces - the platform equivalent of financial services' KYC requirements. Just as banks must verify customer identities, marketplaces must verify trader identities before allowing them to sell to EU consumers. This addresses the 'anonymous seller' problem that has plagued platforms like Amazon Marketplace and eBay, where sellers of counterfeit goods or dangerous products operate behind fake identities.
Paragraph 1 lists seven specific information requirements that marketplaces must collect BEFORE a trader can sell: (a) contact details (name, address, phone, email); (b) identification document or eID; (c) payment account details including account holder name; (d) trade register information if applicable; and (e) compliance self-certification. The 'prior to use' timing is critical - verification must happen during onboarding, not after problems emerge.
Paragraph 2 establishes verification requirements going beyond passive information collection. Marketplaces must verify email, phone, and payment account details 'against official databases' or by requesting supporting documents. For name, trade register, and compliance certification, platforms must 'make best efforts' to assess reliability using independent databases. This dual standard recognizes that some information (contact/payment) is easily verifiable through automated checks, while other information (trade registration, compliance) requires more nuanced assessment.
Paragraphs 3-4 address ongoing accuracy. If marketplace obtains indications information is inaccurate (e.g., email bounces, customer reports fake address), it must request trader remedy the issue 'without undue delay'. If trader doesn't fix it or initial verification fails, marketplace MUST suspend trading - no discretion. This prevents the 'Whack-A-Mole' problem where bad actors simply re-register under new fake identities.
Paragraph 5's 6-month retention requirement balances traceability with privacy. Marketplaces must retain trader information for 6 months after relationship ends (enabling investigation of past transactions), then delete it (minimizing data retention risks). Paragraph 6 grants competent authorities access to trader information upon substantiated request, enabling enforcement while requiring justification.
Paragraph 7 requires consumer-facing transparency: marketplaces must display trader name, address, contact details, and trade registration (if available) on product listings. This enables consumers to verify seller legitimacy, make informed decisions, and contact sellers directly if issues arise. The transparency converts marketplace KYBC verification into consumer-empowering information.
This article fundamentally changes marketplace economics. Pre-DSA, platforms could operate 'hands-off' seller onboarding with minimal verification. Post-DSA, every trader onboarding requires identity verification, document checking, database queries, and ongoing accuracy monitoring. For Amazon Marketplace with 2+ million active sellers, or eBay with 17+ million sellers, this represents massive compliance infrastructure investment.
Key Points
Marketplaces must collect and verify trader information BEFORE allowing sales
For Amazon Marketplace (Large Platform): When new seller wants to join, Amazon must: (1) Collect seller legal name, physical address, phone, email; (2) Request government-issued ID (passport, driver's license) or business registration; (3) Collect payment account details and verify account holder name matches seller identity; (4) If business entity, verify trade register/company house registration; (5) Obtain compliance self-certification; (6) Verify email through confirmation link, phone through SMS/call, payment account through micro-deposit verification; (7) Check name and business registration against databases; (8) ONLY if all verification passes, activate seller account. On product listings, display to consumers: 'Sold by [Seller Legal Name], [Business Address], Contact: [email]'. If customer reports fake address, Amazon must contact seller to remedy within days, or suspend account until fixed. Store all seller documents securely for 6 months after seller closes account, then delete. When German regulator requests information about specific seller selling potentially dangerous products, provide trader information within days.
For eBay (Established Marketplace): eBay's legacy system allowed sellers to register with just email and PayPal account. Article 30 requires complete overhaul: implement seller verification system requiring ID documents, physical address verification, trade register checks for businesses, compliance self-certifications. For 17+ million existing sellers, eBay must: (1) Implement phased re-verification program, (2) Suspend high-risk sellers (e.g., selling restricted goods) until they complete verification, (3) Allow low-risk sellers grace period to comply. Display verified seller information prominently on listings. Build database integration to verify UK Companies House registrations, EU business registers, payment account details. Implement monitoring system to detect bounced emails, disconnected phones, suspicious address changes - triggering re-verification or suspension.
For Vinted (Peer-to-Peer Marketplace): Vinted facilitates consumer-to-consumer sales of secondhand clothing. Article 30 distinction between 'traders' and 'consumers' becomes critical. Occasional sellers (e.g., parent selling outgrown children's clothes) are consumers, not traders - Article 30 doesn't apply. But professional sellers (e.g., reseller running vintage clothing business) are traders - full verification required. Vinted must: (1) Implement seller classification system detecting professional activity (e.g., >50 listings/month, business descriptions, systematic pricing); (2) When user crosses trader threshold, trigger Article 30 verification workflow; (3) Request trader registration documents, payment account verification, compliance certification; (4) Display trader information on their listings while maintaining privacy for consumer sellers. This preserves peer-to-peer nature while ensuring professional sellers are accountable.
For Etsy (Artisan Marketplace): Most Etsy sellers are small businesses or solo artisans - all are traders under DSA. Etsy must verify every shop: collect legal names, physical addresses (not just PO boxes), phone numbers, emails, government IDs or business registrations, payment account details. Verify email and phone through automated checks, payment accounts through banking system integration. For 5+ million active sellers globally, require all EU sellers and sellers targeting EU consumers complete verification. Display seller business information on shop pages and product listings. Implement automated monitoring: flag sellers with high complaint rates, returned emails, disconnected phones for re-verification. When French authorities investigate counterfeit goods, provide seller information within statutory timeframe. For sellers in countries without trade registers (e.g., US sole proprietors), accept alternative documentation (EIN letters, business licenses, bank statements) as verification.
For Shopify (Platform Enabling Individual Stores): Shopify's model differs - it provides infrastructure for merchants to run independent stores, not centralized marketplace. Article 30 likely doesn't apply to Shopify itself (merchants don't sell 'on' Shopify platform), but applies to Shopify merchants who enable third-party sellers on their stores. A merchant running multi-vendor marketplace on Shopify must implement Article 30 verification for their sellers. Shopify might offer compliance tools: app marketplace plugins for trader verification, ID document scanning APIs, trade register lookup integrations, seller information display widgets. But primary Article 30 responsibility rests with merchant operating marketplace, not Shopify infrastructure provider.