No liability exemption from data protection obligations for online marketplaces

On the 2nd December 2025, the Court of Justice of the European Union (ECJ) ruled that an online marketplace may be a (joint) controller of personal data included in user generated adverts published on its site. The case of X v Russmedia Digital and Inform Media Press (C-492/23), demonstrates that online marketplaces must carefully consider their data protection role when posting us er generated adverts on their site. They cannot rely on the liability exemptions in the EU Digital Services Act (DSA) to avoid liability for data protection obligations, particularly where the personal data that is published is sensitive personal data.

Key facts of the case X v Russmedia Digital

• Russmedia Digital (“Russmedia”) is a Romanian online marketplace which enables users to publish adverts on the site.  
•  In August 2018 an advert was anonymously posted on Russmedia's marketplace showing a woman offering sexual services and listing a phone number. 
• The woman in the advert requested removal of the advert, stating it had been published without consent. 
• Russmedia deleted the advert within an hour following the complaint but, by this time, the advert had been copied to other websites, where it remained accessible. 
• The affected woman brought a claim against Russmedia for infringing her rights of “personal portrayal, and rights to honour, reputation and privacy, as well as the rules relating to the processing of personal data”. Following a decision that Russmedia merely provided a hosting service for user generated content and could therefore rely on the hosting exemption for intermediaries (originally in the E-Commerce Directive and now in the DSA), a number of questions were sent to the ECJ on appeal. 

Questions for the Court of Justice of the European Union (ECJ)

​​​​In summary, the ECJ was asked to consider whether the operator of an online marketplace is classed as a ‘joint controller’ with the advertiser of any personal data contained within user generated adverts on its site, what obligations an online marketplace has under the EU GDPR and whether they can rely on the hosting exemption for intermediaries under the DSA.

The ECJ ruled that:

• Under the EU GDPR, Russmedia was a joint controller (with the advertiser) of all personal data included in the advert uploaded to its site. Whilst Russmedia did not actively publish the advert, nor determine the content which contained sensitive personal data, the advert was only publicly accessible through the actions and infrastructure of Russmedia and its website. Russmedia therefore determined the ‘means’ and the ‘purpose’ for processing personal data, the requirements for ‘controller’ status under the EU GDPR. Further evidencing Russmedia’s role as a joint controller, the ECJ cited Russmedia’s processing of personal data within adverts when making these accessible on its site, its control over presentation of the advert on the site, as well as Russmedia’s terms & conditions which stated that published adverts could be used for its own commercial purposes.   
• Allowing adverts to be uploaded anonymously was determined to be assisting in the publishing of personal data without data subject consent.
• Russmedia could not avoid the data protection obligations of a controller by relying on the hosting exemption for intermediaries set out in the DSA.

What should an online marketplace operator do in response to this ruling?

As a result of the ruling, it is clear that EU GDPR obligations apply to the processing of personal data in an advert, and an online marketplace cannot use the hosting exemption to avoid liability. Consequently, online marketplace operators will need to review their processes and consider if they are acting as a joint controller of the personal data within user generated content (including third party adverts) uploaded to their sites. Online marketplace operators should review their terms and conditions and consider the rights that they have in respect of adverts uploaded by users, and whether they have the required control and influence over the processing of personal data to trigger ‘controller’ status. If an online marketplace operator is a joint controller, it will need to agree with the advertiser their respective responsibilities under the EU GDPR. Controller status brings with it a number of obligations, including the following referenced by the ECJ:

• maintain adequate technical and organisational measures to prevent any loss of control over personal data and to prevent sensitive personal data being copied and published unlawfully on other sites;
• adopt security measures to prevent adverts with sensitive information being unlawfully copied and published elsewhere;
• review adverts before they are published to its website; and
• assess adverts for sensitive personal data and, if such information is included, check if the user submitting the advert is the data subject.

Next steps

If you have any queries regarding this case and its implications for you or, regarding data protection obligations generally, please get in touch with our Commercial and Technology team at [email protected].