Newsletter

E-COMMERCE IN FOCUS

March 2026

E-COMMERCE IN FOCUS:

FIVE AREAS WHERE IT'S WORTH PREVENTING REGULATORY RISKS NOW

ARTICLES

#1 NAV 2026 audit plan - Focus on e-commerce and platforms

The National Tax and Customs Administration (NAV) has published its 2026 audit plan, which pays special attention to the tax practices of online commerce and digital platforms. The audit of retail tax obligations appears as a specifically named focus area in the NAV audit plan, especially with regard to the examination of the retail tax liability of e-commerce platforms, as well as the audit of taxpayers who fail to comply with their obligations. Thus, increased control from a tax perspective is expected for e-commerce players in 2026. According to the NAV's justification, the turnover of online marketplaces and e-commerce platforms is growing dynamically, so the audit of the sector directly contributes to ensuring budget revenues and maintaining the competitive neutrality of law-abiding enterprises. The examination of the tax liability of domestic and foreign platforms, as well as the exploration of revenues obtained through the social platforms of online content providers, is of paramount importance.

Practical message: it is worth documenting whether (i) there is a retail tax liability, (ii) whether the reporting practices are appropriate, and (iii) whether the platform-based revenue structure is properly structured.

#2 Prosecutorial action due to the application of unfair general terms and conditions – How far does the operator have room for maneuver with the GTC?

The Prosecutor's Office has filed a lawsuit against an online store selling sporting goods and sportswear due to unfair terms of the general terms and conditions (GTC) it applied. The significance of the case lies in the fact that when making online purchases, the acceptance of the relevant GTCs is often a "ticking" on the part of users; consumers typically do not read them and, in particular, do not negotiate these terms and conditions, and have no influence on their content. The Prosecutor's Office is therefore placing increased scrutiny on unilaterally defined terms and conditions in order to protect consumers. The focus of the audit is in particular on the following areas, according to the Prosecutor's Office's recent practice: (i) unlimited exclusion of liability in the event of discrepancies between product photos and reality, (ii) contractual limitation of warranty rights, (iii) unilateral amendment of GTCs and cancellation of loyalty points without compensation, (iv) authenticity and veracity of customer reviews. In relation to the latter issue, the Prosecutor’s Office also took action against an online store where the operator displayed as real customer reviews opinions whose authenticity could not be verified. The Prosecutor’s Office specifically drew attention to the fact that online stores can only display “real customer reviews” if they properly inform consumers about whether and, if so, how they verify that the reviews come from real customers.

Practical message: Unfair terms and unfair commercial practices against consumers remain the primary targets of regulatory action – the GTC and the company’s e-commerce practices must be regularly and consistently reviewed to ensure that they comply with the law and current law enforcement practice.

#3 Mandatory registration (“account only”) – Is it really legal under GDPR?

Many online e-commerce platforms use an “account-only” model: purchases or even viewing offers are only possible after registration, by creating a user account. According to the draft Recommendation 2/2025 of the European Data Protection Board (EDPB), which was put out for public consultation in December 2025, mandatory user account creation can only be justified in limited cases under the GDPR.

If online shopping is technically possible without registration, mandatory registration cannot be automatically justified from a data protection perspective. In such cases, service providers must be able to demonstrate that registration is essential and that there is no less data-intensive solution.

Practical message: Online commerce platforms should review their use of mandatory registration and – if they maintain it – prepare to document its justification under the GDPR. In contrast, the “guest checkout” solution is not only user-friendly, but also more in line with the principles of data minimization and data protection

#4 “We just provide an interface” - Is this enough from a data protection perspective?

It is a common assumption that an online marketplace or advertising site is a "mere intermediary" and therefore is not responsible for the content uploaded by users, especially for any personal data that the user may actually upload. The case C-492/23 (Russmedia) pending before the Court of Justice of the European Union has colored this picture.

The facts of the case in brief: someone published the data of another private individual on an online advertising site without the consent of the individual concerned. The platform removed the content in a timely manner after being flagged – yet the question arose whether this alone was enough.

The Court of Justice of the European Union has ruled that the operator of an online marketplace may be considered a data controller with respect to personal data included in an advertisement published on its platform if the publication takes place within the technical and business framework defined by it. The fact that the content was uploaded by the user does not in itself exclude the operator's liability under the GDPR. This means that not only the person who uploaded the data may be responsible, but also the platform itself, even if the objectionable content is quickly deleted afterwards.

Practical message: It is recommended to rethink the practices of managing user content, especially the preventive and ex post control mechanisms related to the disclosure of personal data, and to review the definition and documentation of data management roles.

#5 Digital Fairness Act – Another wave of regulation in 2026

The European Commission has scheduled the presentation of the Digital Fairness Act (DFA) legislative initiative for the fourth quarter of 2026, which focuses on addressing online consumer risks. The expected target areas are:

  • “Dark patterns” solutions (deceptive countdown timers, hidden information, manipulated button layouts),

  • Addictive interface design (infinite scroll, autoplay, especially for minors),

  • Personalized pricing and transparency of advertising,

  • Difficulties in canceling subscriptions (“unsubscribing should be as easy as signing up”),

  • Dropshipping and product safety liability,

  • Transparency of influencer marketing.

Although several of the above elements are already covered by other legislation (e.g. unfair commercial practices, DSA, GDPR), the DFA aims to introduce explicit prohibitions and obligations tailored to the digital environment. Online businesses will not only have to deal with each legislation separately, but also with their combined, layered application. Compliance is increasingly becoming a “design-level” issue: the design of the online interface, the purchasing process, and the user experience can create legal risks in and of themselves.

Practical message: The key to preparation is a coordinated, documented review of the terms and conditions, the purchasing process, data management practices, and the user interface.

Digital compliance is no longer just a matter of legal documentation. In the case of webshops and online platforms, the user interface itself, the purchasing process, and the design solutions used can also carry legal risks.

If you need support with your legal compliance or would like to review your operations, we are at your disposal!

Back to All Insights
Mountain landscape