ARTICLE
16 December 2025

Judgment Summary – Court Of Justice Of The European Union (CJEU)Case C-492/23, Russmedia Digital And Inform Media Press (2 December 2025)

FF
FFF Legal

Contributor

FFF Legal logo
FFF Legal is a Malta-based law firm which provides a comprehensive range of services to the highest calibre of individuals and businesses. Its clients are sophisticated and dynamic and this is reflected in the way that the team challenges the conventional, and strives for excellence at every opportunity. The firm has a wealth of experience representing clients in a broad spectrum of specializations. Its partners, associates and consultants are all practising lawyers who work within the different practice areas.
Explore Firm Details
On the 2nd December 2025, the CJEU delivered an important judgment clarifying the data protection obligations of online marketplace operators under the General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR").
Malta Privacy
Madeleine Gauci
Your Author LinkedIn Connections
Madeleine Gauci’s articles from FFF Legal are most popular:
  • within Privacy topic(s)
  • in United States
  • with readers working within the Banking & Credit, Utilities and Law Firm industries
FFF Legal are most popular:
  • within Privacy, Litigation, Mediation & Arbitration and Intellectual Property topic(s)

On the 2nd December 2025, the CJEU delivered an important judgment clarifying the data protection obligations of online marketplace operators under the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”). The ruling establishes that such operators act as data controllers with respect to the personal data contained in advertisements appearing on their platforms, even when those adverts are uploaded directly by users.

The Court held that an online marketplace operator determines, jointly or independently, the purposes and means of processing personal data contained in advertisements published on its platform. Because publication occurs through the operator's system (making the advertisement accessible to the public) the operator assumes the role of a controller within the meaning of Article 4(7) GDPR.

For context, the Unfair Commercial Practices Directive (Directive 2005/29/EC) defines an online marketplace as an online interface operated by or on behalf of a trader which allows consumers to conclude distance contracts with other traders or consumers.

Background

The case arose after an unidentified user published an advertisement on the Romanian classifieds website ‘www.publi24.ro', owned by Russmedia Digital, falsely claiming that a woman was offering sexual services. The ad included her photographs and telephone number, without her consent and was subsequently copied to other websites. Although Russmedia removed the advert promptly upon notification, the woman initiated proceedings for breach of her rights, leading to divergent rulings before national courts. The Court of Appeal in Cluj referred several questions to the CJEU concerning the interaction between GDPR duties and platform-liability exemptions.

Mandatory pre-publication controls for sensitive personal data

Where advertisements involve special categories of personal data (e.g., sexual life, health, or other sensitive data), the operator must carry out certain checks before allowing publication. These include:

  • Identifying advertisements containing sensitive data, using appropriate technical and organisational tools.
  • Verifying the identity of the advertiser to confirm that they are the individual whose sensitive data appear in the ad.
  • If the advertiser is not that individual, verifying whether the data subject has provided explicit consent for the publication of their sensitive data.

In the absence of such verification or consent, the operator must refuse publication, unless another GDPR exemption is applicable.

Post-publication responsibilities and prevention of unlawful dissemination

The operator's obligations do not end at publication. The CJEU emphasised that the marketplace must take effective measures to prevent the copying, scraping, or unlawful re-publication of such adverts containing sensitive data on third-party websites. This requires the adoption of robust technical and organisational security measures.

No reliance on e-Commerce Directive liability exemptions

Crucially, the Court ruled that an online marketplace cannot rely on the liability exemptions for hosting providers set out in the e-Commerce Directive (Directive 2000/31/EC) to bypass GDPR obligations.

Significance of the ruling

This judgment imposes a heightened compliance burden on operators of online marketplaces and similar platforms, particularly where user generated content may involve sensitive personal data. Operators must proactively assess adverts, implement identity-verification processes, ensure appropriate consent mechanisms, and adopt strong safeguards to prevent misuse of personal data.

The ruling reinforces the notion that GDPR responsibilities cannot be contractually overridden by reliance on liability exemptions.

Conclusion

For businesses operating online marketplaces, this judgment underscores the need to reassess existing compliance frameworks, moderation tools, contractual arrangements, and technical measures to ensure alignment with heightened regulatory expectations. Those who take steps now to strengthen controls and document their compliance efforts will be better positioned to mitigate legal, financial, and reputational risks in an environment of increasing judicial and regulatory scrutiny.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Madeleine Gauci
Madeleine Gauci
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More