ARTICLE
28 January 2026

GDPR Liability For Online Marketplaces: No Safe Harbour Under The E-Commerce Directive

GA
GVZH Advocates

Contributor

GVZH Advocates logo
GVZH Advocates is a modern, sophisticated legal practice composed of top-tier professionals and rooted in decades of experience in the Maltese legal landscape. Built on the values of acumen, integrity and clarity, the firm is dedicated to providing the highest levels of customer satisfaction, making sure that legal solutions are soundly structured, rigorously tested, and meticulously implemented.
Explore Firm Details
On 2 December 2025, the Court of Justice of the European Union (CJEU) clarified the scope of GDPR liability for online marketplaces in its judgment...
Malta Privacy
Erika Criscione
Your Author LinkedIn Connections
Erika Criscione’s articles from GVZH Advocates are most popular:
  • within Privacy topic(s)
GVZH Advocates are most popular:
  • within Privacy, Criminal Law, Litigation and Mediation & Arbitration topic(s)
  • with readers working within the Consumer Industries industries

On 2 December 2025, the Court of Justice of the European Union (CJEU) clarified the scope of GDPR liability for online marketplaces in its judgment X vs Russmedia Digital SRL and Inform Media Press SRL (Case C-492/23), confirming that online marketplace operators may incur liability under the GDPR where they fail to take appropriate steps to verify, moderate and prevent the unlawful dissemination of advertisement containing personal data.

A key aspect of the judgement is the Court's finding that the operator of an online marketplace may be classified as a data controller for the purpose of the General Data Protection Regulation (GDPR). Importantly, the Court also held that such operators cannot rely on the liability exemption under Article 141 of Directive 2000/31 (E-Commerce Directive) to avoid the responsibility for breaches of their obligations under the GDPR.

Fact of the case

The applicant, a woman identified in the judgment as "X", claimed that an unidentified third party had published an advertisement on the defendants' website, portraying her as offering sexual services. The advertisement included photographs of X which had been used without her consent, along with her telephone number.

The defendant, Russmedia Digital SRL (Russmedia), owner of the online marketplace Publi24.ro, when contacted by the applicant, removed the advertisement from its website in less than one hour from receipt of the request by X to do so. However, the information had already been republished and copied on other websites.

X filed an action against Russmedia before the Romanian Court of First Instance claiming that the advertisement infringed her right of personal portrayal and rights to honour, reputation and privacy.

The Court ordered Russmedia to pay her damages in the amount of Euro 7,000 for non-material damages caused by the infringement of the right of personal portrayal and the rights to honour and reputation, as well as for unlawful processing of her personal data.

Russmedia appealed the judgment before the Romanian Specialized Court, which upheld the appeal, holding that Russmedia acted solely as a hosting service provider and was not actively involved in the creation or control of the advertisement's content. As a result, the exemption from liability provided for under Article 14 of the E-Commerce Directive was found to be applicable.

The applicant appealed the judgment, arguing that the Platform (Russmedia) played an active role, not merely by storing the data, but also by processing and analysing it and making it available to the public. Consequently, the exemption from liability provided under Article 14 of the E-Commerce Directive should not apply.

The matter was referred to the CJEU by the Romanian Court of Appeal.

The Online Marketplace as a Data Controller

The Court found that, in the given context, the operator of an online marketplace qualifies as controller of personal data contained in user-generated advertisement, even though the operator do not create the content of such advertisement.

The Court clarified that, once the advertisement is published, the operator of the online marketplace and the user who placed the advertisement, are to be regarded as joint controllers of the personal data. Accordingly, they share responsibility for ensuring that the data is processed lawfully.

In this respect, the Court observed that Russmedia publishes personal data contained in the advertisement for its own advertising and commercial purposes and that it exerts influence over the data processing determining the means of the data processing.

This is confirmed by the Terms and Conditions of its service, where Russmedia has the right to use published content, distribute it, transmit it, reproduce it, modify it, translate it, transfer it to partners and remove it at any time, without the need for any 'valid' reason for so doing.

In addition, the Court noted that the operator of an online marketplace, sets the parameters for the dissemination of advertisements, which is likely to contain personal data and determines a number of elements, including the presentation and duration of that dissemination, the headings of the information published and its classification.

Obligations of Online Platforms as Data Controllers

The Court found that the operator of the Platform, as the controller of the personal data contained in advertisements published on its online marketplace, is required, before the publication of the advertisements:

  • to identify the advertisements that contain sensitive data in terms of Article 9(1) of the GDPR,
  • to verify whether the user posting such an advertisement is the person whose sensitive data appear in that advertisement and, if this is not the case,
  • to refuse publication of that advertisement, unless that user advertiser can demonstrate that the data subject has given his or her explicit consent to the data being published on that online marketplace.

Technical and Organisational Measures

The Platform operator is further required to implement appropriate technical and organisational security measures in order to prevent that the advertisements containing sensitive data is being copied and unlawfully published on other websites.

Non applicability of the E-Commerce Directive Exemption

An online marketplace operator cannot invoke the E-Commerce Directive exemption to escape liability for infringements of its GDPR obligations.

The Court held that the exemption cannot interfere with the GDPR regime.

This exemption applies only when the service provider plays a neutral, purely technical, and passive role. Since Russmedia actively determined the means and purposes of the data processing for its own commercial gain (as described above), its role is considered active and non-neutral. Therefore, the stricter duties and liability standards of the GDPR apply.

What this Means for Platforms

This case illustrates the increasing GDPR liability for online marketplaces, particularly when platforms fail to implement safeguards to prevent misuse of personal data.

In practical terms, the Court's findings significantly raise the compliance expectations placed on online marketplace operators, confirming that platforms cannot rely on the exemption of liability granted under the E-Commerce Directive to avoid responsibilities for infringements of GDPR obligations.

Platform operators are required to identify advertisements containing special category of data under Article 9(1) GDPR, verify whether the advertiser is the data subject, and refuse publication where this is not the case, unless the advertiser can demonstrate that the data subject has provided explicit consent for the data to be published on the platform.

This inevitably requires the implementation of robust identity-verification mechanisms, together with safeguards designed to prevent the dissemination of sensitive personal data in breach of individuals' rights.

That said, these requirements also raise practical and legal challenges. In particular, enhanced verification processes may necessitate the collection of additional personal data, potentially creating tension with the data minimisation principle under the GDPR. Moreover, preventing the copying and onward publication of unlawful content across other websites may prove difficult in practice, given the speed and scale at which information can be replicated and shared online.

Footnote

1. Article 14.1 of Directive 2000/31, entitled "Hosting", in its original version prior to amendment by Regulation (EU) 2022/2065 (the Digital Services Act), provides as follows:

"1. Where an information society service is provided that consists of the storage of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the information stored at the request of a recipient of the service, on condition that:

(a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or

(b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Erika Criscione
Erika Criscione
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More