The European Union’s top court has ruled that operators of online marketplaces are directly responsible under EU data protection law for personal data contained in user-posted ads, significantly tightening obligations around sensitive information such as alleged sexual services.
In a December 2, 2025 Grand Chamber judgment in Case C-492/23, the Court of Justice of the European Union held that a Romanian classifieds platform, operated by Russmedia Digital, qualified as a data controller for personal data published in ads on its site. The case arose after an anonymous user posted a false advertisement presenting a woman as offering sexual services, using her photos and phone number without consent. Although Russmedia removed the ad within an hour of being notified, it had already been copied and reposted on other sites.
The Court found that because Russmedia set the parameters for publishing and exploiting ads for its own commercial purposes, it jointly determined the purposes and means of processing alongside the user advertiser and therefore acted as a controller under the General Data Protection Regulation (GDPR). That status triggers extensive proactive duties.
Before publishing ads, an online marketplace must use appropriate technical and organisational measures to identify advertisements containing “special category” data, such as information about a person’s sex life or sexual orientation. It must verify whether the advertiser is the person whose sensitive data appear in the ad and, if not, refuse publication unless the advertiser can prove the data subject has given explicit consent or another narrow GDPR exception applies.
The Court further held that platforms must implement security measures to prevent ads containing sensitive data from being copied and unlawfully republished on other websites, as far as technologically possible. Simply reacting to complaints after content goes live is not enough where sensitive data are involved.
Importantly, the Court ruled that operators cannot rely on the hosting liability exemptions in the EU E-Commerce Directive to escape GDPR-based responsibilities or potential compensation claims. The judgment now returns to the Romanian courts to apply these interpretations to the woman’s claim for non-material damages.
Need Help?
If you have questions or concerns about any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
