Are Operators of Online Marketplaces Responsible for User Content Under the GDPR?

5 minute read | December.23.2025

On 2 December 2025, the Court of Justice of the European Union (CJEU) ruled that operators of online marketplaces can be held legally responsible for how personal data is handled on their platforms — even when the data is processed by third parties — and may therefore qualify as (joint) controllers under the GDPR. (Case C‑492/23).

The CJEU takes the view that the protections of the hosting provider privilege do not preempt responsibilities under the GDPR. This may have a far-reaching impact as it may require burdensome technical and organizational measures to better monitor and protect personal data.

Background

The dispute (“Russmedia”) evolved around a Romanian online marketplace operated by Russmedia that hosts free and paid advertisements on their website. A woman claimed that an ad published on the marketplace included her photographs and phone number and falsely presented her as offering sexual services without her consent, thereby encompassing special categories of personal data under Article 9 of the GDPR.

Although the operator removed the ad shortly after notification, the ad appeared on other websites that indicated the marketplace as the source. The applicant claimed that the advertisement infringed her rights and sued Russmedia for non-material damages.

The Romanian Court of Appeal asked the CJEU to clarify the marketplace operator’s status under the GDPR and how data protection obligations interact with liability exemptions for hosting / intermediary providers.

Key Findings

Online marketplace operators, even when acting as hosting providers, may be joint controllers if they exert decisive influence over how personal data is processed and how ads containing personal data are shared — including who sees them, how they are displayed, how long they remain visible, and how they are categorized — because this gives the operator decisive influence over how that data is disseminated.

The hosting provider privilege does not exempt marketplace operators from their obligations under the GDPR as a (joint) controller for personal data processed on the marketplace.
The operator of an online marketplace can be a (joint) controller for the processing of personal data in ads published by third parties on its platform if the operator also processes the personal data for its own commercial purposes.
Considering that Russmedia’s general terms and conditions allowed Russmedia to use third-party content for its own purposes, including marketing and sharing with third parties, the CJEU determined that Russmedia exerted a “a decisive influence over the processing of personal data concerned and thus determines the means of that processing."
The CJEU concluded that the advertiser and Russmedia were joint controllers pursuant to Article 26 (1) GDPR.
The anonymity of the advertiser made it impossible for the marketplace to fulfill transparency requirements as a joint controller under the GDPR.
The CJEU also stated that data about a person’s sex life does qualify as a special category of personal data under Article 9 (1) GDPR even when the content is untrue, and that publishing such content requires compliance with Article 9 (2) GDPR.

Implications for Online Marketplaces:

The actual impact of the decision remains to be seen. As further outlined below, the case is fairly specific, thus not every marketplace operator may qualify as (joint) controller or be burdened with the fairly onerous obligations under the GDPR.

Marketplace operators can no longer avoid liability and obligations under the GDPR by referencing their position as a “neutral intermediary” if they retain the right to exert significant influence on the processing of personal data. Also, “notice-and-takedown” of such content alone will not be enough.
Platforms and advertisers may need to enter a joint controller agreement under Article 26 of the GDPR.
In cases similar to the Russmedia case, operators must implement appropriate technical and organizational measures before ads are published, to:
- Identify ads that contain special categories of personal data pursuant to Article 9 (1) GDPR,
- Verify whether the advertiser preparing to place such an advertisement is the person whose sensitive data appears in that advertisement and, if this is not the case,
- Refuse publication of that advertisement, unless that advertiser can demonstrate that the impacted individual has given his or her explicit consent to their data being published on that marketplace, as defined by Article 9 (2) (a) GDPR, unless an exception provided for in Article 9 (2) (b) to (j) GDPR is satisfied.
The CJEU indicated that marketplace operators may be required to implement appropriate technical and organizational security measures under Article 32 GDPR to mitigate risks of unlawful copying and republication of advertisements containing special categories of personal data, though the court does not concretely specify such measures.
- The marketplace operator may be required to implement appropriate safeguards at the design stage where the presence of special categories of personal data is foreseeable. However, the court does not clarify how to identify, in advance, content containing special categories of personal data.

Why is the Case Special?

The CJEU’s ruling is thus based on a fairly specific case. Without further guiding case-law it may not be prudent to overgeneralize the case's implications ion hosting / intermediary providers.

In its general terms and conditions, Russmedia expressly retained in the right to use, distribute, transmit, reproduce, modify, translate, transfer and remove published content at any time in its own discretion. In particular, these fairly strong rights of use made the CJEU believe that Russmedia reserved the right to process and use the personal data contained in the advertisements for its own purposes, and not just for providing its services to the advertiser and processing the personal data on its behalf.

Other marketplace providers without such extensive rights may not necessarily qualify as (joint) controllers and may then potentially be able avoid the far-reaching GDPR obligations, unless:

The advertisement included identifiable photographs and a phone number as well as special categories of data categories (i.e., relating to someone's sex life) and was published without the data subject's consent. The sensitive nature of the data significantly heightened risks for the data subject.
Copies of the advertisement appeared on other sites that indicated the marketplace as the source. This further increases the risk of unlawful copying and dissemination of the personal data.
The ability to anonymously post advertisements facilitates the publication of such personal data without obtaining the data subject’s consent.

Operators of online marketplaces should analyze the potential implications of this ruling for their obligations and liability exposure.

Authors

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
White Collar
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Related Areas

Cyber, Privacy & Data Innovation