On 2 December 2025, the Court of Justice of the European Union (“CJEU”) delivered a landmark judgment in Case C-492/23 clarifying the responsibilities of online marketplace operators under the General Data Protection Regulation (“GDPR”).
Background information
Russmedia Digital, a company incorporated under Romanian law, operates an online marketplace on which advertisements may be published either free of charge or for a fee. These advertisements concern, among other things, the sale of goods and the provision of services in Romania.
On 1 August 2018, an unidentified person published an advertisement on the platform, stating that a woman was offering sexual services. The advertisement includedphotographs of the woman, used without her consent, as well as her telephone number. She claimed that the advertisement was false and harmful and requested its removal. Russmedia removed the content within an hour; however, it had already been copied on other websites, where it remained accessible.
The woman subsequently brought a claim, before the Romanian courts, seekingcompensation for moral damages resulting from the unlawful processing of herpersonal data and infringement of her rights to image, honor, and privacy. At second instance, the referring court submitted a request for a preliminary ruling to the CJEU, asking whether, under the GDPR, the operator of an online marketplace must be regarded as a data controller in relation to the personal data contained in user-generated advertisements, and whether such an operator may rely on the liability exemption for hosting providers laid down in Directive 2000/31/EC to be relieved of those obligations.
Decision of the CJEU
The Court held that an online marketplace operator such as Russmedia must be regarded as a controller, within the meaning of the GDPR, for the personal data contained in advertisements published on its platform. Even if an advertisement is uploaded by a user, it is made publicly accessible only through the actions and infrastructure of the marketplace operator.
Accordingly, before an advertisement is published, the operator must identify (through appropriate technical and organisational measures) any advertisements that contain sensitive personal data, such as those at issue in the present case. It must also verify whether the user submitting the advertisement is the individual to whom the sensitive data relate.
If that is not the case, the operator must verify whether the person whose data are being published has given explicit consent to the publication of their sensitive data. In the absence of such consent, the operator is required to refuse publication of the advertisement, unless another lawful basis under the GDPR applies. Furthermore, the operator must take steps to prevent advertisements containing sensitive data from being copied from its platform and unlawfully republished on other websites; this requires the implementation of suitable technical and organisational security measure.
Finally, the Court made clear that an online marketplace operator cannot avoid its obligations under the GDPR by relying on the liability exemption for hosting providers set out in Directive 2000/31/EC.