>_KrakaTech
OtherMar 31, 2026· 3 min read

Fake Ads on Bakeca with Real Data of a Woman: The Authority Orders New Technical Measures for the Platform

The phone number of a woman ended up, unbeknownst to her, in two ads on Bakeca.it, one in the "massage-wellness" section and one in the "love-dating" section. This information comes from a note published on the website of the Authority: the ads were posted by an unknown user who had used temporary emails to register. For this reason, the Italian Data Protection Authority sanctioned Bakeca s.r.l. with a fine of €5,000 and ordered the adoption of technical and organizational measures suitable to verify that anyone entering a phone number in a "sensitive" ad is indeed the rightful owner or authorized by the actual owner.

The complainant had received calls from strangers interested in the content of the ads and was only able to have the posts removed after a first request and subsequently a formal cease and desist. The company's defenses revealed that Bakeca manages about 135,000 ads per month with a "quality" office of three staff members dedicated to manual control in sensitive categories, while the automatic system only filters previously reported or blocked numbers, without any verification of the actual ownership of the contact indicated. The OTP verification, moreover, only confirms the availability of the email address used for the account, not the ownership of the phone number by the advertiser.

The Violations Asserted

The Authority found violations of Articles 5, 6, 9, 24, 25, and 32 of the GDPR. Furthermore, Bakeca attempted to defend itself by arguing that the CJEU ruling C-492/23 was innovative and therefore not applicable retroactively to the facts in question. The Authority rejected this argument: the principles established by the Court crystallize obligations already implicit in the Regulation, not introducing new obligations. In particular, the ruling establishes that the operator of an online marketplace is the data controller of the data contained in the ads and must, before publication, identify ads with sensitive data, verify whether the advertiser coincides with the interested party, and, failing this, refuse publication unless there is explicit consent from the third party.

The maximum applicable fine is €20 million: the 4% of Bakeca's global revenue is below this threshold, thus the fixed cap applies. The imposed sanction of €5,000, equivalent to 0.025% of the maximum, takes into account the necessary balance between protecting the data subjects and business freedom, as well as the fact that the company has already deleted the ads and blocked the complainant's number. As an aggravating factor, the Authority considered the particular nature of the data processed.

In addition to the financial penalty, the order requires Bakeca to inform the Authority within 60 days of the measures adopted to comply. The company can settle the dispute easily by paying €2,500 (half of the fine) within 30 days. This incident is part of a broader context of the Authority’s attention towards ad platforms: the newsletter dated March 26, 2026 already connected this case to the major fine of €563,052 imposed on Enel Energia for illegal telemarketing, with an overall tightening of controls on the processing of user data.

← OlderElectric Scooters: Goodbye to the 'Wild West'. Here’s How to Regulate Them with License Plates, Costs, and DeadlinesNewer →Fiber to the Office, Cyber and Physical Security, and Wi-Fi 8: How Huawei Rethinks Corporate Networks