CJEU’s Russmedia decision: how online marketplace platforms could be held liable under the GDPR

On 2 December 2025, the Grand Chamber of the Court of Justice of the European Union ("CJEU") delivered a landmark judgment in the case X v. Russmedia Digital and Inform Media Press (C-492/23). The judgment offers a mix of considerations on the liability exemption for intermediaries and the duties of marketplace operators under the GDPR when user-generated content involves sensitive data. The judgment also raises fundamental questions as to the proportionality and practical feasibility of such obligations for SMEs and platforms with high advertisement volumes, signalling a potential shift in platform liability for the processing of sensitive data. Businesses should carefully consider the potential consequences of the court’s ruling, especially the possibility that certain design choices, contractual terms and exploitation of user-generated content may expose platforms to increased risk.   

Background to the case 

Russmedia Digital, a Romanian business, owns the website <www.publi24.ro>. This platform serves as an online marketplace where advertisements may be published either free of charge or for a fee. On 1 August 2018, an unidentified user posted on this marketplace an advertisement falsely representing a woman (the “claimant”) as offering sexual services, including her photographs and telephone number, without her consent. Once notified, Russmedia removed the advertisement within an hour, but the advertisement was relayed on several third-party websites, indicating the source of the initial website.

The claimant initiated proceedings for breaches of her image rights, reputation and data protection rights. Before lower courts, decisions were split over whether Russmedia was a hosting provider benefiting from the eCommerce Directive safe harbour or subject to liability under the GDPR. The court of appeal referred the case to the CJEU, requesting guidance on whether the marketplace operator could rely on the liability exemption for intermediaries and to what extent, under the GDPR, the platform operator needed to prevent the publication and further dissemination of such sensitive personal data.  

As we set out below, this case provided an opportunity for the CJEU to rule on whether the platform must verify the advertiser’s identity, monitor the content of the advertisement in advance to detect sensitive data and implement measures to prevent further dissemination. 

Key takeaways 

This ruling has many implications for businesses. 

Broad interpretation of the concept of controllership 

The Court finds that the operator of an online marketplace such as Russmedia Digital is a controller, within the meaning of the GDPR, of the personal data contained in an advertisement published on its online marketplace, although the advertisement is designed and placed by a user.

To justify its position and demonstrate that Russmedia exerted a decisive influence, for its own purposes, over the publication on the internet of the personal data of the applicant, the CJEU notes that:  

• Russmedia participated in the determination of the purpose of the processing that consisted in making the personal data contained in the advertisement at issue accessible to internet users in order to put such publications to effective use.  
• In addition, by allowing advertisements to be placed anonymously on its online marketplace, Russmedia facilitated the publication of such data without the data subject’s consent.
• Russmedia sets the parameters for the dissemination of advertisements likely to contain personal data depending on the recipients concerned, determines the presentation and duration of that dissemination or the headings structuring the information published, or even organises the classification which will determine the arrangements for such dissemination.
• According to the court, it is not because it did not itself determine the content of the advertisement published that the online marketplace can avoid its liability as a data controller.
• Russmedia publishes advertisements on its online marketplace for its own commercial purposes, as indicated in its T&Cs.  

With regard to this last point, Russmedia’s T&Cs were rather standard in the way they granted Russmedia the right to distribute, transmit, publish, remove or reproduce the information contained in the advertisements, including the personal data contained therein. According to the court, it played into controller status. Given the other arguments put forward by the Court, simply amending the content of the contract might not be sufficient to fight back against the controller qualification. 

The marketplace and the advertising user qualify as joint controllers when the ad is published  

The CJEU considers that the online marketplace and the advertising user qualify as joint controllers, when the advertisement is published on the online marketplace. The CJEU applies here its doctrine according to which joint controllership does not necessarily require the existence of joint decisions concerning the determination of the purposes and means of the processing of the personal data concerned developed in cases such as Fashion ID.  

As a consequence, both the marketplace and the user must be able to demonstrate that the personal data in the ad is published lawfully, that in the case of sensitive data the consent of the data subject has been obtained and that the data is accurate in accordance with the principle of accuracy. As regards technical and organisational measures, these need to be assessed on a case-by-case basis.

This ruling also triggers the implicit consequence that in such circumstances the online marketplace must conclude an article 26 joint-controller agreement with the advertising user setting out the respective roles and relationships of the joint controllers vis-à-vis the data subjects.

The CJEU notes that once published online and accessible to any Internet user, such data may be copied and reproduced on other websites, so that it may be difficult, if not impossible, for the data subject to obtain their effective deletion from the Internet. The ECJ’s reasoning seems to have been designed to protect individuals against this risk and clarify that both the marketplace and the advertising user have obligations under the GDPR. 

Adoption of appropriate measures by the controller 

The CJEU points out that the degree of likelihood of a breach of fundamental rights to privacy by the publication of an advertisement containing sensitive data is very high where the user advertising is not himself the data subject and where the online marketplace allows such advertisements to be placed anonymously. The CJEU therefore concludes that, as soon as their service is designed, data controllers must implement appropriate technical and organisational measures to identify adverts containing sensitive data before they are published and to verify that such sensitive data is published in compliance with the principles of the GDPR. 

Verification of identity prior to online publication of the advertisement  

The CJEU notes that while the fact that a data subject places an advert containing his or her sensitive data on an online marketplace may constitute explicit consent within the meaning of Article 9(2)(a) of the GDPR, such consent is lacking where that advert is placed by a third party, unless that party can demonstrate that the data subject has given his or her explicit consent to the publication of that advert.

The operator, as the party responsible for the publication of sensitive data contained in an advertisement published on its marketplace, together with the advertising user, is obliged to collect the identity of this user and to check whether this user is the person whose sensitive data appears in the advertisement. This is part of the appropriate technical and organisational measures. If this verification of identity is impossible, the operator must refuse to publish the advert. 

Implementation of security measures 

Finally, the CJEU concludes that the controller must implement appropriate security measures to ensure that advertisements containing sensitive data are not copied and unlawfully published on other websites. The court does not prescribe how this should be done. 

Why could this ruling have far-reaching consequences for online marketplaces?  

Read in its most literal sense, this decision may appear to impose a handful of stringent obligations onto platform operators, including:  

1. proactive screening obligations of user-generated content prior to publication for the inclusion of sensitive data;  
2. collection and verification of the publishing user’s identity (if sensitive data is present); and  
3. implementation of technical and organizational measures to prevent the dissemination of said user-generated content, including sensitive data. 

As always, though, court decisions which address the liability of online intermediaries inevitably raise new questions as they try to answer others – and the Russmedia judgment is no exception.  

First, the decision relies primarily on the interpretation of the GDPR, specifically controller obligations in relation to a specific combination of facts, i.e. user-generated content containing not only sensitive data but intentionally harmful content of a sexual nature. The court's determination draws from a variety of factual elements such as (i) platform design choices, (ii) wording of applicable terms and conditions, (iii) exploitation of user-generated content. Arguably, those vary on a case-by-case basis and are thus liable to influence each economic operator’s own risk.  

Second, the abovementioned findings of the Court appear in tension both with current market practice and platform obligations under the e-Commerce Directive (or its successor, the DSA), without clear instructions for businesses to reconcile these considerations. For example, the recommendations of the Court to diminish liability under the GDPR may incidentally increase liability of platforms under other legal instruments.  

Third, in practice, online intermediaries may face difficulties in translating the consequences of the ruling at the operational level. For instance, platforms could be confronted with residual uncertainty as to, amongst others, what level of identity verification is required, which state-of-the-art security measures would be deemed appropriate, etc.

Given the above, we highly recommend that businesses conduct their own case-by-case analysis to ascertain the consequences of the ruling on their own online platform. Please don’t hesitate to reach out if you require assistance.