Obligations of Online Marketplace Operators in the Area of Personal Data Protection Following CJEU Judgment C-492/23
On 02.12.2025, the Court of Justice of the European Union (CJEU) delivered a landmark judgment in Case C-492/23 (Russmedia Digital and Inform Media Press), which significantly affects the obligations of online marketplace operators (classified platforms, marketplaces) in the field of personal data protection under Regulation (EU) 2016/679 (GDPR). The decision eliminates previous doubts regarding the extent to which platforms may rely on the “passive role” doctrine applicable to hosting providers under Directive 2000/31/EC (the e-Commerce Directive).
The platform publi24.ro enabled an anonymous user to publish a false advertisement in which the user's photographs, telephone number and untrue statements alleging the provision of sexual services were used without the data subject’s consent. Although the platform removed the advertisement shortly after receiving the request, the content had already been disseminated to other websites. The data subject filed a claim for damages against the platform for violating her personal data protection rights.
The Court confirmed that the operator of an online marketplace is a data controller within the meaning of Article 4(7) GDPR, since the platform makes personal data publicly accessible. Platforms cannot rely on the argument that they play only a passive role; the Court clarified that an online marketplace operator cannot avoid GDPR obligations by invoking the hosting liability exemption under Article 14(1) of Directive 2000/31/EC.
Among the obligations imposed on online marketplace operators are:
Proactive Identification: Before publication, operators must implement technical and organisational measures (e.g., AI-based filters) to detect advertisements containing special categories of personal data under Article 9 GDPR (such as data concerning sexual life or health).
Verification of Consent: Operators must verify whether the advertiser is authorised to publish the data - either because they are the data subject themselves or because they have the explicit consent of the data subject. Otherwise, the advertisement must be rejected.
Prevention of Dissemination: Platforms must implement measures to prevent the copying or unlawful dissemination of such content.
Failure to comply with these obligations may result in fines of up to 4% of the operator’s worldwide annual turnover.
The judgment strengthens protections against the misuse of personal data on platforms such as Bazoš, Facebook Marketplace, and similar services. It also makes it easier for injured persons to claim compensation.
For online marketplace operators, this decision requires: a fundamental revision of personal data processing procedures, ex-ante moderation of advertisements rather than moderation triggered only by user reports, investments in automated detection systems and verification of user identity, carrying out a GDPR audit and strengthening internal documentation, and preparing for an increased risk of lawsuits and compensation claims.
This decision is binding on all EU Member States and reinforces the trend towards proactive platform responsibility, consistent with previous case law (see also Google, C-460/20).
