On 2 December 2025, the Court of Justice of the European Union (“CJEU”) delivered a landmark judgment in the case X v. Russmedia Digital and Inform Media Press (C-492/23).

The decision clarified the data protection obligations of online marketplace operators under the General Data Protection Regulation (“GDPR”). It established that such operators may qualify as data controllers in relation to the personal data contained in advertisements appearing on their platforms, even when those advertisements are uploaded directly by users.

The case concerned the Romanian classifieds website “Publi24”, owned by Russmedia Digital, that offered publication of advertisements on its platform, either free of charge or for a fee. In August 2018, a user posted an advert falsely claiming that a woman was offering sexual services. The advert included the woman’s photograph and telephone number, without her consent. Despite Russmedia removing the advert within an hour of it being posted, it had already been copied and reproduced on other third-party websites. The woman initiated proceedings for breach of her image rights, reputation, and data protection rights leading to split rulings before national courts.

Before the lower courts, rulings diverged on whether Russmedia qualified as a hosting provider entitled to the e-Commerce Directive “safe harbour” protections, or whether it could be held liable under the GDPR. The Court of Appeal referred several questions to the CJEU concerning the interaction between GDPR duties and platform-liability exemptions.

In its judgment, the CJEU held that an operator such as Russmedia participates in determining the purposes and means of the processing and therefore fell within the definition of a controller under the GDPR. The Court further clarified the relationship between GDPR obligations and the intermediary liability regime under the e-Commerce Directive.

The CJEU noted several factors which support its ruling, including:

1. Russmedia does not merely provide storage, but organises how adverts are created, displayed and shared and is not just a passive intermediary.
2. The platform enables adverts to be made accessible to a potentially unlimited public, meaning Russmedia therefore contributes to the dissemination of personal data.
3. Russmedia, by operating the platform through which adverts containing personal data are published, participated in determining both the purpose (publication and dissemination of adverts) and the essential means of that processing, meeting the core test of being a controller.
4. It was noted that even though the user advertiser inputs the data, Russmedia’s involvement in the publication and accessibility of the data supports its classification at least as a joint controller.

The Court emphasised that the risks of publication are more serious when sensitive personal data, within the meaning of the GDPR, is involved, particularly where the user advertiser is not the data subject, and where the platform permits adverts to be posted anonymously, increasing the likelihood of unlawful interference with those rights.

The CJEU held that an operator acting as a controller cannot rely on the “safe harbour” liability exemptions provided for in the e-Commerce Directive.

The Court further held that, in such circumstances, the operator acting as a controller is required prior to publication to  implement appropriate technical and organisational measures to identify adverts containing sensitive data; verify whether the user advertiser is the person whose sensitive data appears in that advert; and if not, refuse publication unless the user advertiser can demonstrate the data subject has given his or her explicit consent.

In addition, the Court held that the controller must implement appropriate security measures to prevent advertisements containing sensitive personal data, from being copied and unlawfully published on third-party websites.

The ruling marks the end of online marketplace controllers shielding themselves from liability from user-generated content.