On December 2, 2025, the European Court of Justice (ECJ) ruled in case C-492/23 (“Russmedia”) that operators of online marketplaces are responsible under data protection law for personal data in user ads. This ruling has significant implications for GDPR obligations, platform liability and the role of online marketplaces in the digital space.

Background: The Russmedia case

A previously unknown user posted an ad on a Romanian online marketplace in which a woman was depicted with photos and her telephone number. The ad falsely claimed that she offered sexual services. The woman was neither aware of the ad nor had she given her consent to the publication of her personal data. Although the operator quickly had the ad deleted after a complaint, it had already been distributed on other sites.

The woman concerned then sued for damages. The legal dispute centered on the question of whether the operator of an online marketplace could be held liable for the publication of personal data, even though the content had been created by a user.

The platform operator argued that it was merely a technical service provider and had no influence on the specific content of the ad. It had also reacted immediately after becoming aware of it and deleted the ad. The plaintiff, on the other hand, took the view that the operator shared responsibility for the processing of her personal data due to the operation and design of the platform.

The question of the responsibility of online platforms under data protection law has been controversial until now and has now been fundamentally clarified by the ECJ ruling.

Online marketplace operators can be considered responsible parties

The ECJ ruled that operators of online marketplaces – as in the case of Russmedia Digital – are not just technical intermediaries, but (co-)controllers within the meaning of the GDPR if personal data is published by users on their platform. Although the user creates the ad themselves, the operator determines the framework conditions for data processing through the structure, technical design and terms of use of the platform. In the opinion of the ECJ, this actual influence is sufficient to establish joint controllership pursuant to Art. 26 GDPR.

No invocation of liability privileges

Furthermore, the ECJ has clarified that platform operators cannot invoke the liability privileges for host providers – for example under the Digital Services Act or the former E-Commerce Directive – in order to evade their data protection liability under the GDPR. The reference to being merely a “technical host” is not sufficient to exclude responsibility for the processing of personal data, especially if the platform operator has a decisive influence on the data processing.

Review and control obligations prior to publication

In addition, the ECJ not only confirmed the responsibility of platform operators, but also emphasized that operators of online marketplaces have active obligations.

Before an ad is published, the operator must check whether personal data, and in particular sensitive data within the meaning of Art. 9 GDPR (e.g. health data, sexual orientation, political views), is contained in the ad. They must also ensure that the posting user is actually the data subject or that they have given their express consent to publication. If there is no consent or other legal basis in accordance with the GDPR, publication must be refused. Furthermore, the online marketplace must take appropriate technical and organizational measures to prevent unlawful publications and, if necessary, to make it more difficult or even completely prevent further dissemination on other sites.

Why the ruling is important

With its decision, the European Court of Justice is sending a clear signal for stronger preventative data protection. In future, platform operators must not limit themselves to taking action only after complaints have been received. Rather, they are required to take appropriate measures in advance to prevent data protection violations.

For operators of online marketplaces, classified ad portals and similar platforms where users can post content, this means a considerable need for adaptation. Existing compliance structures must be reviewed and, if necessary, further developed. This includes, in particular, the technical design of the platform, internal moderation and review processes as well as the underlying data protection concepts. The aim is to meet the increased requirements of data protection authorities and courts.

Smaller providers in particular could face special challenges. Automated testing and control mechanisms are often cost-intensive and technically demanding. Nevertheless, the ruling makes it clear that economic or organizational difficulties must not be at the expense of data protection.

Key message: The GDPR also applies to online marketplaces

In its ruling of December 2, 2025 (Case C-492/23 “Russmedia”), the ECJ therefore made it unmistakably clear that operators of online marketplaces bear a responsibility under data protection law if personal data is processed in user ads. They are obliged to take appropriate verification and control measures before publication in order to ensure lawful data processing. They cannot invoke liability privileges for host providers in order to avoid the obligations of the GDPR.

Read also: The Digital Services Act (DSA) – Overview and obligations for platform operators | Judgment in full text: ECJ, December 2, 2025 – C-492/23