On the 2nd December 2025, the CJEU delivered an important judgment clarifying the data protection obligations of online marketplace operators under the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”). The ruling establishes that such operators act as data controllers with respect to the personal data contained in advertisements appearing on their platforms, even when those adverts are uploaded directly by users.
The Court held that an online marketplace operator determines, jointly or independently, the purposes and means of processing personal data contained in advertisements published on its platform. Because publication occurs through the operator’s system (making the advertisement accessible to the public) the operator assumes the role of a controller within the meaning of Article 4(7) GDPR.
For context, the Unfair Commercial Practices Directive (Directive 2005/29/EC) defines an online marketplace as an online interface operated by or on behalf of a trader which allows consumers to conclude distance contracts with other traders or consumers.
Background
The case arose after an unidentified user published an advertisement on the Romanian classifieds website ‘www.publi24.ro’, owned by Russmedia Digital, falsely claiming that a woman was offering sexual services. The ad included her photographs and telephone number, without her consent and was subsequently copied to other websites. Although Russmedia removed the advert promptly upon notification, the woman initiated proceedings for breach of her rights, leading to divergent rulings before national courts. The Court of Appeal in Cluj referred several questions to the CJEU concerning the interaction between GDPR duties and platform-liability exemptions.
Mandatory pre-publication controls for sensitive personal data
Where advertisements involve special categories of personal data (e.g., sexual life, health, or other sensitive data), the operator must carry out certain checks before allowing publication. These include:
- Identifying advertisements containing sensitive data, using appropriate technical and organisational tools.
- Verifying the identity of the advertiser to confirm that they are the individual whose sensitive data appear in the ad.
- If the advertiser is not that individual, verifying whether the data subject has provided explicit consent for the publication of their sensitive data.
In the absence of such verification or consent, the operator must refuse publication, unless another GDPR exemption is applicable.
Post-publication responsibilities and prevention of unlawful dissemination
The operator’s obligations do not end at publication. The CJEU emphasised that the marketplace must take effective measures to prevent the copying, scraping, or unlawful re-publication of such adverts containing sensitive data on third-party websites. This requires the adoption of robust technical and organisational security measures.
No reliance on e-Commerce Directive liability exemptions
Crucially, the Court ruled that an online marketplace cannot rely on the liability exemptions for hosting providers set out in the e-Commerce Directive (Directive 2000/31/EC) to bypass GDPR obligations.
Significance of the ruling
This judgment imposes a heightened compliance burden on operators of online marketplaces and similar platforms, particularly where user generated content may involve sensitive personal data. Operators must proactively assess adverts, implement identity-verification processes, ensure appropriate consent mechanisms, and adopt strong safeguards to prevent misuse of personal data.
The ruling reinforces the notion that GDPR responsibilities cannot be contractually overridden by reliance on liability exemptions.
Conclusion
For businesses operating online marketplaces, this judgment underscores the need to reassess existing compliance frameworks, moderation tools, contractual arrangements, and technical measures to ensure alignment with heightened regulatory expectations. Those who take steps now to strengthen controls and document their compliance efforts will be better positioned to mitigate legal, financial, and reputational risks in an environment of increasing judicial and regulatory scrutiny.
The information provided in this Insight does not, and is not intended to, constitute legal advice. All information, content, and materials available are for general informational purposes only. This Insight may not constitute the most up-to-date legal information and you are advised to seek updated advice.
