In its ruling in case C-492/23 – Russmedia Digital and Inform Media Press of December 2, 2025, the European Court of Justice (ECJ) set what appears to be a far-reaching precedent in data protection law for operators of online marketplaces. Essentially, the question was whether the operator of such a marketplace is responsible for the personal data contained in advertisements published by users on its platform and whether it can rely on the liability privileges provided for in the earlier Directive on electronic commerce (E-Commerce Directive). It should be noted that the legal dispute originated in 2018, i.e., before the Digital Services Act (DSA) came into force, which is why the ECJ also interpreted the provisions of the E-Commerce Directive that were still applicable at that time in its ruling. At the same time, the decision must be seen in the context of a European legal situation that has since undergone significant development, with the DSA having been in force since 2024 and also having considerable relevance for the responsibility and liability of digital platforms.
The ECJ's decision clearly shows that the protection of personal data – especially sensitive data – in the digital space is no longer the sole privilege of technical intermediary services, but rather establishes central obligations for platform operators. These requirements remain in place in the context of the DSA and go beyond traditional liability privileges.
The facts
In the underlying case, on August 1, 2018, an unknown person published an advertisement on a Romanian online marketplace depicting a woman without her consent offering sexual services and containing personal data such as photos and telephone numbers. Although the operator quickly removed the advertisement after being notified, it had already been disseminated on other websites.
However, in the reporting on the ruling, we have so far often missed what is likely to be an important factual detail. The operator of this online marketplace had granted itself considerable leeway in its general terms of use to use the information published on this marketplace. In particular, according to the referring court, the operator reserved the right to use, distribute, transmit, reproduce, modify, translate, pass on to partners, and remove published content at any time without the need for a "valid reason." In this respect, the operator did not publish the personal data contained in the advertisements solely for the users placing the advertisements, but processed this data and was able to profit from it for its own advertising purposes and commercial interests.
Against the background of this dissemination and the resulting violations of privacy and data protection, the question arose as to whether the operator of the marketplace is responsible for the processing of this data under data protection law and whether it can invoke liability privileges, such as those provided for in the Directive on electronic commerce.
The ECJ
In its decision, the ECJ first established that the operator of an online marketplace can be regarded as the "controller" within the meaning of Art. 4 No. 7 of the GDPR for the processing of personal data in the advertisements published on its platform. This responsibility arises in this case from the fact that the operator, through the structure and technical means of its platform, contributes significantly to making this data accessible to the public. The operator sets the parameters for the dissemination of advertisements that may contain personal data in accordance with the target audience, determines the presentation, the duration of this dissemination, or the categories in which the published information is structured. They organize the ranking on which the details of such distribution depend and participate in determining the essential means of publishing the personal data in question. Overall, they thus have a significant influence on the worldwide distribution of this data. The ECJ emphasizes that advertising or content containing personal data and distributed via the marketplace cannot be attributed solely to the advertiser, because publication and access to it are only made possible by the platform's system. This means that the operator is not merely a technical intermediary; within the meaning of the GDPR, it jointly determines the purposes and means of processing this data.
In this context, the ECJ pointed out that it already follows from Art. 2 (4) GDPR that the application of the GDPR remains "unaffected" by the former E-Commerce Directive and, of course, by the current DSA. This provision should not be understood as an opportunity to hide behind its liability privileges; rather, it serves to clarify that data protection responsibilities apply independently of other liability regimes.
The ECJ's decision is particularly significant when it comes to so-called special categories of personal data (sensitive data), which are subject to special protection under Article 9 GDPR. This includes information that allows conclusions to be drawn about a person's health, criminal offenses, sex life, and similar highly sensitive matters. The ECJ expressly clarifies that such data may not be processed without express consent or another narrow legal justification. This applies regardless of whether the data is true or false; mere membership of a sensitive category is sufficient. In the present case, the advertisement was such that it qualified as sensitive personal data within the meaning of Art. 9 GDPR.
According to the ECJ, this understanding of data protection law means that the operator of an online marketplace is not only responsible for ensuring that the GDPR principles are complied with when publishing advertisements, but must also take appropriate technical and organizational measures prior to publication to identify content that contains sensitive data. They must also check whether the advertiser is actually the person whose data appears in the advertisement or whether the data subject has expressly consented to the publication. These verification obligations go far beyond merely reactive removal after becoming aware of the data and represent a significant extension of joint responsibility.
Another key point of the ruling is the finding that the operator is also obliged to take measures to prevent advertisements containing sensitive data that have been published once from being copied by other websites and disseminated there without consent. This duty of protection derives from Art. 32 GDPR, which requires appropriate technical and organizational measures aimed at a level of protection appropriate to the risk. The court thus clarifies that the data controller is not only responsible within its platform, but also with regard to the risks of data dissemination throughout the internet.
With regard to the Directive on electronic commerce (E-Commerce Directive), the ECJ emphasizes in its ruling that the liability privileges provided for therein cannot serve to undermine the data protection obligations under the GDPR. The E-Commerce Directive provided for traditional liability privileges for pure intermediary, transit, and hosting services, where a provider can only be held liable for illegal content if it becomes aware of it and does not act immediately. However, the Court of Justice clarifies that these privileges do not provide independent relief in the area of data protection if the operator is classified as a controller within the meaning of the GDPR.
E-Commerce Directive - Digital Services Act
While the ECJ's decision explicitly refers to the E-Commerce Directive because the underlying case relates to content from 2018, the legal situation has now been formally developed further by the Digital Services Act (DSA). The DSA is an EU regulation that has been fully in force since February 17, 2024, and has largely replaced the E-Commerce Directive in the digital sphere.
Essentially, the DSA adheres to a liability concept that is similar in principle to that of the E-Commerce Directive, namely that internal intermediaries and hosting services are exempt from direct liability for third-party content under certain conditions, as long as they have no knowledge of infringements and respond appropriately when they become aware of them. However, the DSA goes beyond the e-commerce privileges by introducing additional proactive requirements that vary depending on the size of the platform: large, very large, or systemically important platforms must systematically analyze risks to users, take measures to mitigate them, and report on them, while all services are required to offer effective and transparent notice-and-action procedures.
Data protection obligations under the GDPR apply independently of the general liability regimes of the DSA
Against this background, the ECJ ruling of 2025 is particularly significant because it makes it clear that the data protection obligations under the GDPR apply independently of the general liability regimes of the DSA. While the DSA focuses on the conditions under which platforms are exempt from direct liability for third-party content and the organizational requirements that apply to moderation and risk assessment, the GDPR addresses the protection of personal data and obliges platform operators to take their role as controllers seriously when processing or making personal data accessible—especially when it comes to sensitive data. These obligations cannot be neutralized by DSA liability privileges.
Legally speaking, this means that the European legal framework today recognizes a differentiated coexistence of the GDPR and the DSA, in which the GDPR continues to apply independently and primarily to the protection of personal data, and in which the DSA addresses specific issues of platform responsibility, transparency, and risk management. The operating and business models of digital platforms must therefore take both legal regimes into account in a synchronized manner when they provide, manage, or distribute content in order to be both data protection-compliant and in line with the new requirements for digital services.
Impact
The impact of this decision has already been described in the literature as far-reaching, but in our view it does not go so far as to affect all platforms with user-generated content on which personal data is processed or disseminated. In our view, such statements overlook the fact that the ECJ reached its decision because the platform operator documented a significant interest of its own in the published content through its terms of use. In addition, it set parameters for publication. In this case, the content in question was advertisements. On this basis, the ECJ concluded that there was so-called joint responsibility under Art. 26 GDPR. It should be mentioned in passing that this also means that online platform operators and advertisers must conclude an agreement on joint responsibility in accordance with Art. 26 GDPR and must inform the data subjects of the essential content of this agreement in accordance with Art. 26 (2) sentence 2 GDPR. The classification thus not only leads to liability consequences, but also to formal obligations.
In any case, operators of such services will in future have to establish organizational and technical measures that go beyond purely reactive moderation and enable proactive detection of sensitive data, identity verification, and risk assessment. These requirements represent a profound innovation in legal practice because they fundamentally reverse the traditionally reporting and reactive role of platform operators—toward a preventive responsibility that begins even before publication.
At the same time, it cannot be assumed that the ruling requires all platforms and forums to comply with these requirements. If it does not involve advertisements, if no freely usable rights to the content are granted (but rather, if necessary, the rights are limited to those necessary for publication), or if no influence is exerted on the duration of display or categories, etc., the ruling may often not apply to the platform or forum.
However, if this cannot be argued, then the ruling is potentially problematic in its practical implementation because the obligation to check content in advance and verify identity poses considerable technical and organizational challenges. Without such a preliminary check, the operator cannot know and verify whether the publication contains particularly sensitive data in accordance with Art. 9 GDPR. In this area, the ECJ even goes so far as to require the operator to verify the identity of the advertiser to ensure that they are the person shown in the advertisement and, if not, to obtain proof of consent from the person shown. At the same time, prior knowledge may invalidate liability privileges for claims arising from areas of law other than data protection law. This must be considered difficult to implement, especially for smaller platforms, as they may not have the resources to establish complex verification processes without coming into conflict with other legal principles.
At the same time, the ECJ ruling also has an important legal policy dimension: it signals that the priority of European law in the digital context is the protection of the fundamental rights of natural persons. The ECJ emphasizes that the protection of personal data and personality rights must not take a back seat to general liability privileges. This means that technical intermediaries cannot remain neutral within the meaning of the GDPR even if they could be under the general digital liability regimes of the DSA.
Conclusion
In summary, it can be said that the ECJ ruling of December 2, 2025, represents a milestone in European data protection and platform regulation. It reinforces the view that operators of digital marketplaces and platforms may be jointly responsible for the processing of personal data disseminated via their systems and that they must take appropriate measures to ensure the protection of such data before publication. At the same time, it remains clear that the data protection obligations of the GDPR remain in place and cannot be overridden by general liability regimes such as DSA privileges. This interplay of legal acts requires digital service providers to design their offerings in a careful, risk-based, and legally compliant manner that focuses on the protection of personal data and technical and organizational responsibility.
The statements represent initial information that was current for the law applicable in Germany at the time of initial publication. The legal situation may have changed since then. Furthermore, the information provided cannot replace individual advice on a specific matter. Please contact us for this purpose.