On 2 December 2025, the Court of Justice of the European Union (hereinafter “CJEU”) delivered a landmark judgment in Case C-492\/23 (Russmedia Digital SRL),<\/span>\u00a0which fundamentally redefines the liability framework for operators of online marketplace platforms in the field of personal data protection law. The judgment concerns the interpretation of Regulation (EU) 2016\/679 (General Data Protection Regulation \u2013 hereinafter “GDPR”),\u00a0<\/span>Directive (EU) 2000\/31 (E-Commerce Directive)<\/span>\u00a0and Regulation (EU) 2022\/2065 (Digital Services Act),<\/span>\u00a0in a case where a false and defamatory advertisement was published anonymously on an online platform, presenting the applicant as a person offering sexual services, using her photographs and telephone number without her consent.\u00a0<\/span><\/p>\n The judgment acquires particular significance as it imposes strict preventive obligations on platform operators, overturning the traditional notion of the “passive intermediary” and establishing new compliance standards for all businesses that manage user-generated content.<\/p>\n Russmedia Digital operates publi24.ro, an online marketplace on which advertising announcements concerning the sale of goods or provision of services in Romania can be published free of charge or for a fee.\u00a0<\/span>On this platform, the publication of advertisements was permitted without user identification.<\/p>\n On 1 August 2018, an unidentified third party published on the platform a false and defamatory advertisement presenting the applicant as a person offering sexual services, including photographs of her used without her consent, as well as her telephone number.<\/span> Although the advertisement was removed from the platform within one hour of Russmedia being notified by the applicant, the content had already been copied and published on other websites, with reference to the original source,<\/span>\u00a0making the harm permanent.<\/p>\n The CJEU adopted a broad interpretation of the concept of “data controller”. According to Article 4(7) GDPR, the data controller is defined as the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.\u00a0<\/span>The CJEU clarified that any natural or legal person which influences, for purposes of its own, the processing of such data and thereby participates in the determination of the purposes and means of that processing may be regarded as a controller of that processing.<\/span><\/p>\n In the case at hand, the CJEU held that Russmedia did not operate as a mere “passive intermediary”. The company publishes advertisements on its platform for its own commercial purposes, as the general terms and conditions of use of its platform grant it broad freedom to exploit the information published thereon. Specifically, Russmedia reserves the right to use the published content, to distribute it, transmit it, reproduce it, modify it, translate it, transfer it to partners and delete it at any time without needing a “valid reason” to do so. <\/span>Consequently, Russmedia does not publish the personal data contained in the advertisements exclusively on behalf of the user-advertisers, but processes and may exploit that data for advertising and commercial purposes of its own.<\/span><\/p>\n Article 26(1) GDPR provides that where two or more controllers jointly determine the purposes and means of processing, they are joint controllers of that processing.\u00a0<\/span>The CJEU clarified that joint controllership does not necessarily require the existence of joint decisions concerning the determination of the purposes and means of the processing of the personal data concerned, but participation in the determination of those purposes and means may take various forms.\u00a0<\/span><\/p>\n This judgment followed the Guidelines 08\/2020 of the European Data Protection Board (hereinafter “EDPB”) on targeting of social media users, <\/span>which analyse in detail the participation of platforms as joint controllers.<\/p>\n Specifically, these guidelines:<\/p>\n These principles extend fully to judgment C-492\/23, as under it, the marketplace platform does not merely intermediate, but actively participates in determining the means of publication.<\/p>\n The CJEU imposed three critical preventive obligations on online platform operators:<\/p>\n The operator of an online platform, where it knows or should know that, as a general rule, advertisements containing sensitive data within the meaning of Article 9(1) GDPR are likely to be published by user-advertisers on its platform, is obliged, from the design stage of its service onwards, to implement appropriate technical and organisational measures to identify such advertisements before their publication.<\/span><\/p>\n This obligation flows from the principle of “data protection by design” enshrined in Article 25(1) GDPR.<\/span><\/p>\n The operator of an online platform, as controller of the publication of sensitive data contained in an advertisement published on its platform, jointly with the user-advertiser, has an obligation to collect the identity of that user-advertiser and to verify whether that person is the person whose sensitive data appears in that advertisement.\u00a0<\/span><\/p>\n The CJEU emphasised that in order to be able to ensure and demonstrate that the requirements of Article 9(2)(a) GDPR are met, the platform operator must provide, in accordance with Articles 24 and 25 of the Regulation, appropriate technical and organisational measures enabling it not only to collect but also to verify the identity of the user-advertiser before publication of such advertisements.<\/span><\/p>\n Where it is established \u2013 following such verification of the identity of the user-advertiser who is about to publish an advertisement \u2013 that this person is not the person whose sensitive data appears in that advertisement, unless that user-advertiser can adequately demonstrate that the data subject has given their explicit consent for that data to be published on that platform, the platform operator must refuse publication of the advertisement.<\/span><\/p>\n Article 32 GDPR must be interpreted as meaning that the operator of an online platform, as controller of the processing of data contained in advertisements published on its platform, is obliged to implement appropriate technical and organisational security measures to prevent the copying and unlawful publication on other websites of advertisements published thereon containing sensitive data.\u00a0<\/span><\/p>\n The CJEU noted that where sensitive data is the subject of online publication, the data controller is obliged, pursuant to Article 32 GDPR, to take all technical and organisational measures to ensure a level of security capable of effectively preventing the loss of control of that data.\u00a0<\/span><\/p>\n Of critical importance is the CJEU’s ruling that the operator of an online platform, as controller of the processing of data contained in advertisements published on its platform, cannot invoke, in respect of a violation of the obligations arising from Articles 5(2), 24 to 26 and 32 GDPR, Articles 12 to 15 of Directive 2000\/31 relating to the liability of intermediary providers. <\/span>The CJEU relied on the principle that the provisions of Directive 2000\/31, in particular Articles 12 to 15 thereof, cannot affect the regime of the GDPR, given that Article 1(5)(b) of Directive 2000\/31 provides that that directive does not apply to issues relating to information society services covered by Directives 95\/46 and 97\/66 (now GDPR).<\/span><\/p>\n Judgment C-492\/23 acquires additional significance in light of Regulation (EU) 2022\/2065 on a Single Market for Digital Services (Digital Services Act or DSA), which entered into application on 17 February 2024.<\/span><\/p>\n The DSA replaces Articles 12-15 of the E-Commerce Directive concerning the liability of intermediary providers,<\/span>\u00a0introducing tiered obligations for online platforms, including:<\/p>\n The interesting aspect here is that while the DSA focuses on addressing illegal content after publication (reactive approach), the CJEU judgment imposes preventive obligations under the GDPR (proactive approach). The two regimes are complementary and not mutually exclusive.<\/p>\n Specifically, Article 2(4) GDPR ensures that the Regulation applies without prejudice to the DSA, <\/span>while in parallel, judgment C-492\/23 makes clear that the liability exemptions of the DSA cannot be invoked for GDPR violations.<\/p>\n For Hellenic marketplace platforms, judgment C-492\/23 creates immediate obligations:<\/p>\n a. Simultaneous Compliance with DSA and GDPR<\/strong><\/p>\n b. Cross-Border Application<\/strong> The DSA has express extraterritorial effect, requiring platforms outside the EU serving users within the Union to appoint a legal representative within the EU \u2013 similar to the obligation under Article 27 GDPR.<\/p>\n c. Increased Risk of Fines<\/strong> Platforms that violate both the GDPR and the DSA are exposed to dual fines from different regulatory authorities (Hellenic Data Protection Authority for GDPR, National Digital Services Coordinator for DSA).<\/p>\n 1. Systems for Identifying Sensitive Data<\/strong><\/p>\n Platform operators must immediately develop or procure:<\/p>\n 2. Mandatory User Identification<\/strong><\/p>\n Anonymous publication of content that may contain personal data is no longer viable. Required:<\/p>\n 3. Technical Measures Against Copying<\/strong><\/p>\n 1. Review of Terms of Use<\/strong><\/p>\n General terms of use that grant extensive rights to the platform (as in the case under review) strengthen the evidence of controller status. Recommended redrafting for:<\/p>\n 2. Data Protection Impact Assessment (DPIA)<\/strong><\/p>\n The judgment makes a Data Protection Impact Assessment mandatory for all platforms that permit user-generated content.<\/p>\n The judgment significantly strengthens the rights of individuals:<\/p>\n Judgment C-492\/23 marks the transition from the “passive intermediary” model to a regime of preventive vigilance for online platform operators. The inability to invoke the exemptions of the E-Commerce Directive in the field of data protection creates an autonomous liability regime that requires radical revision of business models.<\/p>\n The three pillars of compliance \u2013 identification, verification, refusal \u2013 must be integrated into the operational design core of every platform that hosts user content. The judgment also creates new opportunities for data subjects, as the joint controllership of platforms broadens the spectrum of compensation claims.<\/p>\n For the Hellenic and European market, implementation of the judgment will require significant investments in technology, legal advice and process redesign. Platforms that fail to adapt face the dual risk of administrative fines from Data Protection Authorities and civil liability towards victims of unlawful processing.<\/p>\n","protected":false},"excerpt":{"rendered":" Introduction: The End of Platform “Neutrality” On 2 December 2025, the Court of Justice of the European Union (hereinafter “CJEU”) delivered a landmark judgment in Case C-492\/23 (Russmedia Digital SRL),\u00a0which fundamentally redefines the liability framework for operators of online marketplace platforms in the field of personal data protection law. The judgment concerns the interpretation of […]<\/p>\n","protected":false},"author":4,"featured_media":1823,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[755,754,767,69,765,772,159,766,446,464,760,609,670,111,764,768,761,769,400,757,774,759,758,137,770,459,150,773,771,756,752,753,401,763,762],"class_list":["post-1824","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-en","tag-c-492-23","tag-cjeu-judgment","tag-content-moderation","tag-cybersecurity-en","tag-data-governance","tag-data-processing","tag-data-protection-en","tag-data-security-measures","tag-digital-services-act","tag-dsa-en","tag-dsa-compliance","tag-eu-law","tag-eu-regulation","tag-gdpr-en","tag-identity-verification","tag-intermediary-liability","tag-joint-controllers","tag-law-firm","tag-legal-analysis","tag-marketplace-liability","tag-online-ads-platforms","tag-online-marketplaces","tag-online-platforms","tag-personal-data","tag-platform-compliance","tag-platform-liability","tag-privacy-law","tag-proactive-compliance","tag-risk-management","tag-russmedia-case","tag-sensitive-data","tag-special-categories-of-data","tag-tech-law","tag-ugc","tag-user-generated-content"],"_links":{"self":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/1824","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/comments?post=1824"}],"version-history":[{"count":7,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/1824\/revisions"}],"predecessor-version":[{"id":1832,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/1824\/revisions\/1832"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/media\/1823"}],"wp:attachment":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/media?parent=1824"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/categories?post=1824"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/tags?post=1824"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}The Factual Background of the Case<\/h2>\n
The Concept of “Data Controller” and Joint Controllership<\/h2>\n
A. Broad Interpretation of the Concept<\/h3>\n
B. Application to Platform Operators<\/h3>\n
C. Joint Controllership with Users<\/h3>\n
\n
The Preventive Obligations of Platform Operators<\/h2>\n
A. Obligation to Identify Special Categories of Personal Data<\/h3>\n
B. Obligation to Verify Identity<\/h3>\n
C. Obligation to Refuse Publication<\/h3>\n
Security Measures Against Copying and Dissemination<\/h2>\n
Inability to Invoke the E-Commerce Directive<\/h2>\n
The Digital Services Act (DSA) \u2013 A Complementary Dimension<\/h2>\n
\n
Practical Application in the Greek Market<\/h2>\n
\n
Practical Implications and Compliance Recommendations<\/h2>\n
For Marketplace Platform Operators<\/h3>\n
\n
\n
\n
For Legal Advisors<\/h3>\n
\n
For Data Subjects<\/h3>\n
\n
Conclusion: A New Era for Online Platforms<\/h2>\n