Facebook-f Linkedin-in

Online Platforms and GDPR: The Turning Point of Judgment C-492/23 on Marketplace Liability

Online Platforms and GDPR

Introduction: The End of Platform “Neutrality”

On 2 December 2025, the Court of Justice of the European Union (hereinafter “CJEU”) delivered a landmark judgment in Case C-492/23 (Russmedia Digital SRL), which fundamentally redefines the liability framework for operators of online marketplace platforms in the field of personal data protection law. The judgment concerns the interpretation of Regulation (EU) 2016/679 (General Data Protection Regulation – hereinafter “GDPR”), Directive (EU) 2000/31 (E-Commerce Directive) and Regulation (EU) 2022/2065 (Digital Services Act), in a case where a false and defamatory advertisement was published anonymously on an online platform, presenting the applicant as a person offering sexual services, using her photographs and telephone number without her consent. 

The judgment acquires particular significance as it imposes strict preventive obligations on platform operators, overturning the traditional notion of the “passive intermediary” and establishing new compliance standards for all businesses that manage user-generated content.

The Factual Background of the Case

Russmedia Digital operates publi24.ro, an online marketplace on which advertising announcements concerning the sale of goods or provision of services in Romania can be published free of charge or for a fee. On this platform, the publication of advertisements was permitted without user identification.

On 1 August 2018, an unidentified third party published on the platform a false and defamatory advertisement presenting the applicant as a person offering sexual services, including photographs of her used without her consent, as well as her telephone number. Although the advertisement was removed from the platform within one hour of Russmedia being notified by the applicant, the content had already been copied and published on other websites, with reference to the original source, making the harm permanent.

The Concept of “Data Controller” and Joint Controllership

A. Broad Interpretation of the Concept

The CJEU adopted a broad interpretation of the concept of “data controller”. According to Article 4(7) GDPR, the data controller is defined as the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The CJEU clarified that any natural or legal person which influences, for purposes of its own, the processing of such data and thereby participates in the determination of the purposes and means of that processing may be regarded as a controller of that processing.

B. Application to Platform Operators

In the case at hand, the CJEU held that Russmedia did not operate as a mere “passive intermediary”. The company publishes advertisements on its platform for its own commercial purposes, as the general terms and conditions of use of its platform grant it broad freedom to exploit the information published thereon. Specifically, Russmedia reserves the right to use the published content, to distribute it, transmit it, reproduce it, modify it, translate it, transfer it to partners and delete it at any time without needing a “valid reason” to do so. Consequently, Russmedia does not publish the personal data contained in the advertisements exclusively on behalf of the user-advertisers, but processes and may exploit that data for advertising and commercial purposes of its own.

C. Joint Controllership with Users

Article 26(1) GDPR provides that where two or more controllers jointly determine the purposes and means of processing, they are joint controllers of that processing. The CJEU clarified that joint controllership does not necessarily require the existence of joint decisions concerning the determination of the purposes and means of the processing of the personal data concerned, but participation in the determination of those purposes and means may take various forms. 

This judgment followed the Guidelines 08/2020 of the European Data Protection Board (hereinafter “EDPB”) on targeting of social media users, which analyse in detail the participation of platforms as joint controllers.

Specifically, these guidelines:

  • Confirm that joint controllership between social media platform providers and advertisers will apply extensively when they effectively jointly determine the means and purposes of a processing activity;
  • Clarify that access to personal data is not a prerequisite for joint controllership;
  • Emphasise the need to conclude joint controller agreements pursuant to Article 26 GDPR.

These principles extend fully to judgment C-492/23, as under it, the marketplace platform does not merely intermediate, but actively participates in determining the means of publication.

The Preventive Obligations of Platform Operators

The CJEU imposed three critical preventive obligations on online platform operators:

A. Obligation to Identify Special Categories of Personal Data

The operator of an online platform, where it knows or should know that, as a general rule, advertisements containing sensitive data within the meaning of Article 9(1) GDPR are likely to be published by user-advertisers on its platform, is obliged, from the design stage of its service onwards, to implement appropriate technical and organisational measures to identify such advertisements before their publication.

This obligation flows from the principle of “data protection by design” enshrined in Article 25(1) GDPR.

B. Obligation to Verify Identity

The operator of an online platform, as controller of the publication of sensitive data contained in an advertisement published on its platform, jointly with the user-advertiser, has an obligation to collect the identity of that user-advertiser and to verify whether that person is the person whose sensitive data appears in that advertisement. 

The CJEU emphasised that in order to be able to ensure and demonstrate that the requirements of Article 9(2)(a) GDPR are met, the platform operator must provide, in accordance with Articles 24 and 25 of the Regulation, appropriate technical and organisational measures enabling it not only to collect but also to verify the identity of the user-advertiser before publication of such advertisements.

C. Obligation to Refuse Publication

Where it is established – following such verification of the identity of the user-advertiser who is about to publish an advertisement – that this person is not the person whose sensitive data appears in that advertisement, unless that user-advertiser can adequately demonstrate that the data subject has given their explicit consent for that data to be published on that platform, the platform operator must refuse publication of the advertisement.

Security Measures Against Copying and Dissemination

Article 32 GDPR must be interpreted as meaning that the operator of an online platform, as controller of the processing of data contained in advertisements published on its platform, is obliged to implement appropriate technical and organisational security measures to prevent the copying and unlawful publication on other websites of advertisements published thereon containing sensitive data. 

The CJEU noted that where sensitive data is the subject of online publication, the data controller is obliged, pursuant to Article 32 GDPR, to take all technical and organisational measures to ensure a level of security capable of effectively preventing the loss of control of that data. 

Inability to Invoke the E-Commerce Directive

Of critical importance is the CJEU’s ruling that the operator of an online platform, as controller of the processing of data contained in advertisements published on its platform, cannot invoke, in respect of a violation of the obligations arising from Articles 5(2), 24 to 26 and 32 GDPR, Articles 12 to 15 of Directive 2000/31 relating to the liability of intermediary providers. The CJEU relied on the principle that the provisions of Directive 2000/31, in particular Articles 12 to 15 thereof, cannot affect the regime of the GDPR, given that Article 1(5)(b) of Directive 2000/31 provides that that directive does not apply to issues relating to information society services covered by Directives 95/46 and 97/66 (now GDPR).

The Digital Services Act (DSA) – A Complementary Dimension

Judgment C-492/23 acquires additional significance in light of Regulation (EU) 2022/2065 on a Single Market for Digital Services (Digital Services Act or DSA), which entered into application on 17 February 2024.

The DSA replaces Articles 12-15 of the E-Commerce Directive concerning the liability of intermediary providers, introducing tiered obligations for online platforms, including:

  • Notice-and-action mechanisms for the removal of illegal content,
  • Internal complaint-handling systems with right to out-of-court dispute resolution,
  • Transparency obligations for algorithmic decisions and targeted advertising,
  • Prohibition on the use of sensitive data for profiling-based advertising.

The interesting aspect here is that while the DSA focuses on addressing illegal content after publication (reactive approach), the CJEU judgment imposes preventive obligations under the GDPR (proactive approach). The two regimes are complementary and not mutually exclusive.

Specifically, Article 2(4) GDPR ensures that the Regulation applies without prejudice to the DSA, while in parallel, judgment C-492/23 makes clear that the liability exemptions of the DSA cannot be invoked for GDPR violations.

Practical Application in the Greek Market

For Hellenic marketplace platforms, judgment C-492/23 creates immediate obligations:

a. Simultaneous Compliance with DSA and GDPR

  • Implementation of the notice-and-action systems of the DSA (Articles 16-17)
  • Parallel application of the preventive obligations of judgment C-492/23

b. Cross-Border Application The DSA has express extraterritorial effect, requiring platforms outside the EU serving users within the Union to appoint a legal representative within the EU – similar to the obligation under Article 27 GDPR.

c. Increased Risk of Fines Platforms that violate both the GDPR and the DSA are exposed to dual fines from different regulatory authorities (Hellenic Data Protection Authority for GDPR, National Digital Services Coordinator for DSA).

Practical Implications and Compliance Recommendations

For Marketplace Platform Operators

1. Systems for Identifying Sensitive Data

Platform operators must immediately develop or procure:

  • Automated content moderation tools,
  • Filters that recognise references to sensitive data (health, sex life, racial origin, political beliefs, etc.),
  • Manual review procedures for ambiguous cases.

2. Mandatory User Identification

Anonymous publication of content that may contain personal data is no longer viable. Required:

  • Identity verification through official documents (e-KYC processes),
  • Two-factor authentication,
  • Systems that cross-check the identity of the poster with the data in the advertisement.

3. Technical Measures Against Copying

  • Implementation of watermarking technologies,
  • Content Security Policy (CSP) headers and Digital Rights Management (DRM),
  • Monitoring of the internet for unauthorised republications (web scraping detection).

For Legal Advisors

1. Review of Terms of Use

General terms of use that grant extensive rights to the platform (as in the case under review) strengthen the evidence of controller status. Recommended redrafting for:

  • Clear demarcation of the platform’s role,
  • Express transfer of liability to users,
  • Creation of joint controller agreements pursuant to Article 26 GDPR.

2. Data Protection Impact Assessment (DPIA)

The judgment makes a Data Protection Impact Assessment mandatory for all platforms that permit user-generated content.

For Data Subjects

The judgment significantly strengthens the rights of individuals:

  • Right to compensation against the platform operator (not only against the poster),
  • Ability to invoke breach of preventive obligations,
  • Strengthened position in out-of-court settlement negotiations.

Conclusion: A New Era for Online Platforms

Judgment C-492/23 marks the transition from the “passive intermediary” model to a regime of preventive vigilance for online platform operators. The inability to invoke the exemptions of the E-Commerce Directive in the field of data protection creates an autonomous liability regime that requires radical revision of business models.

The three pillars of compliance – identification, verification, refusal – must be integrated into the operational design core of every platform that hosts user content. The judgment also creates new opportunities for data subjects, as the joint controllership of platforms broadens the spectrum of compensation claims.

For the Hellenic and European market, implementation of the judgment will require significant investments in technology, legal advice and process redesign. Platforms that fail to adapt face the dual risk of administrative fines from Data Protection Authorities and civil liability towards victims of unlawful processing.