On December 2, 2025, the Court of Justice of the European Union (“CJEU”) issued a decision clarifying the obligations of online marketplace operators with regard to content posted on their platform, where such content includes personal data.  This blogpost provides an overview of the decision and its key takeaways.

I. Background

The case arose from a dispute between a Romanian woman and Russmedia Digital SRL (“Russmedia”), the operator of an online marketplace on which advertisements can be published.  In 2018, an unidentified third party published an ad on Russmedia’s website relating to the woman and suggesting that she offered sexual services.  The ad included photographs of the woman and her phone number.  The woman asked Russmedia to take down the ad, which Russmedia did within an hour of receiving the request.  However, by then, the ad had already been reproduced on other websites, where it remained available.

The woman initiated proceedings against Russmedia before the Romanian courts, claiming the advertisement infringed, inter alia, EU data protection rules (i.e., the EU GDPR). The case was referred to the CJEU by the Romanian courts.  Essentially, the referring court asked for guidance on (i) whether an online marketplace operator could be relieved of its obligations under the GDPR on the basis of the liability exemption for hosting providers in Directive 2001/31/EC (“the E-Commerce Directive”); and (ii) the practical implications of such operator’s GDPR obligations, where applicable.

II. The Court’s Judgement

A. Doctrines of Sensitive Data and Joint Controllership

The referring Romanian court’s questions were based on a few assumptions, including that the situation at hand involved the processing of sensitive personal data and that Russmedia should be considered a data controller within the meaning of the GDPR.  In preliminary remarks, the CJEU addressed these assumptions and confirmed that:

  • Information about an individual’s sex life or sexual orientation is sensitive data (“special categories of personal data”) under the GDPR, whether the information is true or not.  Thus, in the case at hand, the ad was deemed to contain sensitive personal data, despite the information being false.   
  • The publication of the ad on Russmedia’s platform constituted a processing of (sensitive) personal data.
  • Russmedia was a controller in relation to such processing, jointly with the unidentified user who posted the ad.  On this point, the CJEU reiterated that:
    • the concept of “controller” should be interpreted broadly under the GDPR, with any individual or entity “who exerts influence” over a processing of personal data, and thus participates in the determination of its purpose and means, qualifying as a controller;
    • multiple parties may influence a processing activity, and they may do so in different forms so that they would not all have an equal responsibility in the processing.  In the case at hand, the CJEU acknowledged that the unknown user who placed the ad was primarily responsible for determining the purposes and means of the processing and thus qualified as a controller.  Nonetheless, it found that Russmedia also played an essential role in the publication of the ad, and thus acted as a joint controller, along with the user. 

According to the CJEU, Russmedia not only determined the essential means of such publication by providing the platform and setting out parameters for such publication, but it did so for its own commercial or advertising purposes.  The CJEU considered that Russmedia’s terms and conditions of use, which granted Russmedia a general right to reuse the content of ads published on its platform, provided evidence of the “decisive influence” exerted by Russmedia over the processing.

B. Obligations of Online Marketplace Operators Under the GDPR

As a (joint) controller, Russmedia was responsible for ensuring the publication of the ad complied with the GDPR requirements – including the lawfulness, accuracy and accountability principles.  The CJEU highlighted that Russmedia should have designed its platform in a way that would enable it to demonstrate GDPR compliance.  In practice, the CJEU considered Russmedia should have taken appropriate technical and organizational measures to:

  • Identify the advertisements that contain sensitive data – so as to be in a position to verify such ads are only published in accordance with GDPR requirements;
  • Verify the identity of users before the publication of such ads – this obligation derives from the fact that the GDPR prohibits the publication of sensitive data unless (i) the data subject has explicitly consented to such publication or (ii) another exemption under Article 9(2) GDPR applies.  According to the CJEU, a data subject would be deemed to have explicitly consented to the publication if they placed the ad containing their personal data themselves.  However, where a user wishes to place an ad containing sensitive data about someone else, Russmedia should further check that the user has obtained the data subject’s explicit consent or can otherwise rely on another Article 9(2) exemption.
  • Refuse publication of ads containing sensitive data, where the user wishing to publish the ad cannot demonstrate it has an appropriate legal basis for such publication.

Furthermore, Russmedia, as a controller, was also required to adopt security measures appropriate to the risk presented by the processing, pursuant to Article 32 GDPR.  With regard to the publication of sensitive data online, the CJEU considered this meant Russmedia was required to take steps to block – as far as technically possible – the copying and reproduction of sensitive data published on its platform.

C. Relationship between E-Commerce Directive and GDPR

Finally, the CJEU clarified the relationship between the E-Commerce Directive and the GDPR.  In essence, it held that while online marketplace operators may benefit from the simplified liability regime for intermediary providers under the E-Commerce Directive, this does not apply  to the protection of personal data.  In this case, they would still be subject to GDPR requirements where the information hosted on their platform amounts to personal data.  

* * *

Covington’s Data Privacy and Cybersecurity team regularly advises companies on their most challenging data protection and compliance issues in the EU and other key markets. If you have any questions about the topics discussed in this article, please do not hesitate to contact us.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Read more about Dan Cooper
Show more Show less
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van Quathem
Show more Show less
Photo of Alix Bertrand Alix Bertrand

Alix advises clients on EU data protection and technology law, with a particular focus on French privacy and data protection requirements. She regularly assists clients in relation to international data transfers, direct marketing rules as well as IT and data protection contracts. Alix…

Alix advises clients on EU data protection and technology law, with a particular focus on French privacy and data protection requirements. She regularly assists clients in relation to international data transfers, direct marketing rules as well as IT and data protection contracts. Alix is a member of the Paris and Brussels Bars.

Read more about Alix Bertrand
Show more Show less