European Union: Court of Justice of the European Union issued ruling determining online marketplaces are responsible for use of personal data in advertisements

On 2 December 2025, the Court of Justice of the European Union delivered its judgment in X v Russmedia Digital SRL, clarifying that operators of online marketplaces are considered controllers under Article 4(7) of the General Data Protection Regulation (GDPR) for personal data contained in user-posted advertisements. The Court ruled that, under Articles 5(2) and 24 to 26 GDPR, marketplace operators must identify advertisements containing sensitive data before publication. They must verify whether the user placing the advertisement is the person whose sensitive data appears in it. If the advertiser is not that person, the advertisement must not be published unless explicit consent under Article 9(2)(a) or another exception under Article 9(2)(b)–(j) applies. Additionally, the Court held that, in line with Article 32 GDPR, operators must implement technical and organisational measures to prevent sensitive-data advertisements from being copied or unlawfully published on other websites. The Court also clarified that Article 1(5)(b) of Directive 2000/31/EC and Article 2(4) GDPR prevent operators from relying on Articles 12 to 15 of the Directive to avoid obligations under Articles 5(2), 24 to 26, and 32 GDPR.