On 2 December 2025, the Court of Justice of the European Union (“CJEU”) in X v Russmedia and Inform Media Press (Case C-492/23) held that the operator of an online marketplace acts as a ‘controller’ under the GDPR in respect of the processing of personal data contained in user-posted advertisements published on their platform, and must comply with their data protection obligations in respect of such publication.
The judgment confirms that the liability exemptions under the e-Commerce Directive (2000/31/EC) (or its successor, the Digital Services Act (“DSA”) (Regulation (EU) 2022/2065), do not override the obligations of the operator of an online marketplace under the GDPR. In particular, the CJEU held that the operator must identify, before publication, advertisements that contain sensitive data in terms of Article 9(1) GDPR, and verify that the user-advertiser is actually the person whose sensitive data appears in the advertisement, or that the advertiser has the explicit consent of that person to publish the advertisement or can rely on another exception under Article 9(2) to do so.
Background
Russmedia Digital, a company incorporated under Romanian law, is the owner of the website www.publi24.ro. The website is an online marketplace on which advertisements concerning the sale of goods or provision of services in Romania can be published free of charge or for a fee.
On 1 August 2018, an unidentified third party published an advertisement on the site, stating that a woman was offering sexual services. The advertisement contained photographs of the woman, which were used without her consent, along with her telephone number. The woman considered that the advertisement was untrue and harmful and therefore asked the website owner to remove it. Russmedia Digital removed the material within an hour of that request. However, the advertisement at issue had already appeared on other websites, where it remained accessible.
Taking the view that the advertisement infringed her right of personal portrayal, the rights to honour, reputation and privacy, and the rules relating to the processing of personal data, the claimant initiated proceedings against Russmedia before the Romanian courts. The Court of First Instance upheld her claim and ordered Russmedia Digital to pay her €7,000 in respect of non-material damage. Russmedia appealed against that judgment. On appeal, however, the Specialised Court found for the company, describing it as “a mere hosting service” that was not liable for the content published by its users.
The claimant then lodged an appeal with the Court of Appeal. It decided to refer the matter to the CJEU for guidance on the interpretation of EU law, in particular in respect of the obligations on the operator of an online marketplace under the GDPR, and as regards the question of whether such an operator may be relieved of those obligations on the basis of the exemption from liability provided for by the eCommerce Directive for providers of information society services.
CJEU Decision
(1) Application of the GDPR
The CJEU ruled that the operator of an online marketplace, such as Russmedia Digital, is a controller (within the meaning of the GDPR) of the personal data contained in an advertisement published on its platform, in circumstances where it exerts influence, for its own purposes, over the publication of such data, and must comply with its obligations under the GDPR in respect of such publication.
Marketplace operator qualifies as Controller of personal data contained in advertisement
In coming to its conclusion that Russmedia is a controller under the GDPR, the CJEU found as follows.
- Russmedia publishes advertisements on its online marketplace for its own commercial purposes, as evidenced by its Ts and Cs. Those Ts and Cs grant it broad freedom to exploit the information published thereon. In particular, Russmedia reserves the right to use published content, distribute it, transmit it, reproduce it, modify it, translate it transfer it to partners and remove it at any time, without the need for any ‘valid’ reason for doing so. Accordingly, Russmedia does not publish personal data contained in the advertisements exclusively on behalf of its user-advertisers, and can exploit those data for its own advertising and commercial purposes.
- Russmedia participated in the determination of the purpose of the processing that consisted in making the personal data contained in the advertisement at issue accessible to internet users in order to put such publications to effective use.
- An operator of an online marketplace, such as Russmedia, cannot avoid liability as controller of personal data, on the ground that it has not itself determined the content of the advertisement at issue.
- Where a marketplace operator, such as Russmedia, sets the parameters for the dissemination of advertisements likely to contain personal data depending on the recipients concerned, determines the presentation and duration of that dissemination or the headings structuring the information published, or even organises the classification which will determine the arrangements for such dissemination, it participates in the determination of the essential elements of the publication of the personal data concerned, thereby exerting a decisive influence on the overall dissemination of those data.
Marketplace operator and the advertising user qualify as ‘joint controllers’ when the advertisement is published
- The CJEU considers that the marketplace operator and the advertising user qualify as ‘joint controllers’, when the advertisement is published on the online marketplace.
- Article 26(1) GDPR provides that where two or more controllers jointly determine the purposes and means of processing, they are joint controllers of that processing. Following its previous decisions in cases such as Fashion ID, the CJEU confirmed that joint controllership does not necessarily require the existence of joint decisions concerning the determination of the purposes and means of the processing of the personal data concerned, rather participation in the determination of those purposes and means may take various forms.
GDPR Obligations of marketplace operator and advertising user as joint controllers
(a) Obligation to verify identity of user-advertiser and person whose data appears in advertisement
- The marketplace operator, as controller of the publication of personal data contained in the advertisement published on its platform, jointly with the user-advertiser, has an obligation to collect and verify the identity of that user-advertiser before publication of the advertisement, and further verify whether that person is the person whose personal data and/or sensitive data appears in that advertisement.
- The marketplace operator must, pursuant to Articles 24 and 25 GDPR, implement appropriate technical and organisational measures enabling it to carry out such verification.
- The CJEU noted, in any event that it is apparent from the transparency obligations in Articles 13 and 14 GDPR, that controllers of personal data must provide their identities and contact details to the data subject. In addition, Article 26 GDPR requires joint controllers of personal data to determine, in a transparent manner, their respective responsibilities for compliance with the obligations under the GDPR. Compliance with such an obligation would prove impossible if one of the controllers of that processing could remain anonymous in relation to the other.
(b) Obligation to ensure a lawful basis exists for processing personal data (including sensitive data)
- In light of the joint controllership, both the marketplace operator and the user-advertiser must be able to demonstrate that the personal data contained in the advertisement is published lawfully, and that in the case of sensitive data under Article 9(1) GDPR, the consent of the data subject has been obtained. In the absence of that consent, the operator of the online marketplace must refuse publication of the advertisement in question, unless it is covered by one of the other exceptions provided for by Article 9(2) GDPR.
(c) Obligation to comply with accuracy principle
- Steps must also be taken to ensure that the data is accurate in accordance with the accuracy principle under the GDPR.
(d) Obligation to implement security measures to prevent unlawful copying and re-publication
- Furthermore, the CJEU ruled that Article 32 GDPR must be interpreted as meaning that the operator of an online marketplace, as controller of personal data contained in advertisements published on its platform, is required to implement appropriate technical and organisational security measures to prevent the copying and unlawful publication on other websites of advertisements containing sensitive data.
(2) Application of the eCommerce Directive
Firstly, the CJEU found that a marketplace operator cannot avoid its obligations under the GDPR in respect of its processing of personal data contained in advertisements published on its marketplace, by relying on the exemptions from liability provided for by Articles 12-15 of the eCommerce Directive 2000/31/EC (or its successor, the DSA).
In this regard, the CJEU noted that Article 1(5)(b) of that Directive states that it shall not apply to questions relating to information society services covered by Directives 95/46/EC and 97/66/EC (now replaced respectively with the GDPR and ePrivacy Directive). The CJEU interpreted this provision as meaning that the exemption provided for by Article 14(1) of the eCommerce Directive on which the operator of an online marketplace might rely as regards information hosted on its website, cannot interfere with the GDPR regime which applies to such an operator in the same way as to any other operator falling within its scope. The same is true of Article 15 of the eCommerce Directive, under which member States cannot impose a general monitoring obligation on providers. Furthermore the CJEU noted that the obligation on the operator of an online marketplace to comply with the requirements arising under the GDPR cannot, in any event, be classified as such as general monitoring obligation.
Secondly, the CJEU found that Article 2(4) GDPR provides that the GDPR is to be without prejudice to the application of the eCommerce Directive, in particular the liability rules of intermediary providers in Articles 12-15 of that Directive. The CJEU noted that Article 2(4) GDPR must be understood as meaning that the fact that an operator has obligations laid down by the GDPR does not automatically preclude that operator from being able to rely on Articles 12-15 of the eCommerce Directive for matters other than those relating to the protection of personal data.
Comment
The judgment confirms that an operator of online marketplaces acts as a ‘controller’ of personal data contained in user-posted advertisements, in circumstances where it exerts influence, for its own commercial purposes, over the publication of such advertisements on its platform, and must comply with its obligations under the GDPR in respect of such publication. It further confirms that the operator of an online marketplace cannot invoke the liability exemptions under the eCommerce Directive (now the DSA) to evade their GDPR obligations.
Whilst the decision reflects a landmark shift in respect of the liability of operators of online marketplaces, it is important to consider the ruling within its specific context, in particular the scope of the relevant Ts and Cs, and the sensitive nature of the personal data contained within the particular advert. Businesses should carefully consider the potential consequences of this CJEU decision, including the fact that certain contractual terms (such as the freedom to exploit user-generated content for its own commercial purposes) may increase a platform operator’s risk profile under the GDPR.
Contact Us
For more information, please contact any member of our Technology and Innovation Group or your usual Matheson contact.