On 2 December 2025, the ECJ handed down its judgment in X v Russmedia Digital and Inform Media Press. It concluded that online marketplaces are (joint) data controllers under the GDPR where they process personal data in user-generated content for their own commercial purposes. To comply with their GDPR obligations as controller, they must screen content for personal data and ensure GDPR compliance ahead of publication. In addition, they cannot rely on e-Commerce Directive/Digital Services Act exemptions to avoid GDPR compliance or liability.
Background
Russmedia Digital (Russmedia) is an online marketplace on which ads can be published anonymously, free of charge or for a fee. The reference from Romania related to the responsibilities of the platform in relation to an ad placed anonymously on its marketplace for a woman's sexual services. The ad contained photos which were used without the individual's consent together with her phone number. Russmedia removed the material within an hour of being put on notice, however, the ad had already appeared on other websites by then where it remained accessible. At first instance in Romania, the court held that Russmedia was liable to the individual, however, on appeal, the court found the company to be a mere hosting service under the e-Commerce Directive and, therefore, protected from liability for the content. A further appeal resulted in references to the ECJ.
The ECJ ruling
The questions referred to the ECJ asked (in summary):
- whether the operator of an online marketplace such as Russmedia is liable for GDPR breaches in relation to content in adverts published on its marketplace containing personal data, including sensitive data, and
- whether the e-Commerce Directive hosting exemption would apply so that the operator would not have any liability in relation to the content of the adverts.
The ECJ held the operator was a controller of the personal data in the ads on its marketplace and was therefore liable for breaches of the GDPR in relation to that data. Moreover, it could not rely on the e-Commerce Directive to avoid GDPR obligations and liability.
Operator of online marketplace as (joint) controller
The ECJ held Russmedia is a joint controller (with the user placing the advert) for GDPR purposes of personal data contained in adverts published on the internet and accessible to users only as a result of its publication, because it has a decisive influence on the processing of that data. In addition, it reserves certain rights in relation to the content, including to copy, distribute, transmit, modify and transfer it for its own commercial purposes. It participates in determining the purpose of the processing which consists of making the personal data contained in the advertisement accessible to internet users for monetisation purposes. In addition, by allowing ads to be placed anonymously, in the instance in question, it facilitated publication of special category data without the consent of the data subject.
The ECJ held that Russmedia cannot escape its responsibility as (joint) controller on the grounds that it does not itself determine the content of the advertisement. In addition, where Russmedia transmits the content to third parties for its own purposes, this is a new processing operation in relation to which it is sole controller.
As a (joint) controller, Russmedia must therefore use appropriate technical and organisational measures ahead of publication to identify ads that contain sensitive (special category) data and verify whether that data relates to the person placing the ad. If the data does not relate to that individual, it must verify whether the person whose data is to be published has given their consent to publication. If not, it must refuse publication unless covered by another Article 9 GDPR exception. It must also take steps to prevent ads containing sensitive data which are published on its website from being copied and unlawfully published on other sites, by using appropriate technical and organisational security measures.
We are still digesting the detail, but our initial view is that the Court makes a logical jump from the (defensible) finding that Russmedia is a joint controller with users who upload advertisements to its platform, to a finding that Russmedia must check all ads in advance of posting for special category data as part of its controller obligations.
The ECJ decision varies from the AG Opinion which suggested operators like Russmedia might be exempt from liability in relation to content in ads on their platform where they have a neutral and technical role, although, as processors, they would still be required to have adequate security measures to protect the personal data.
The e-Commerce Directive
The ECJ held that Russmedia cannot avoid its GDPR responsibilities by relying on the hosting exemption (Articles 12-14) and the 'no monitoring obligation' (Article 15) of the e-Commerce Directive – now Articles 4-6 and 8 of the Digital Services Act (DSA). The e-Commerce Directive – and now the DSA – cannot undermine the requirements of the GDPR (as stated in the La Quadrature du Net decision).
What does this mean for you?
This decision throws the role of platforms in relation to user-generated content they publish into new light where they are in scope of the GDPR. The judgment makes it clear that a platform operator can be a (joint) controller of personal data (not just sensitive personal data) in user-generated content, where it exerts sufficient control over that data. Many of the larger social media and UGC platforms already identify as controller, but we suspect some, like Russmedia, which show classified advertisements, may erroneously identify as processor of UGC content. The judgment does not, however, discuss the processor role in any detail
Russmedia reserved wide rights to re-use and commercialise the adverts uploaded by their users, including the right to publish on other platforms for instance, which makes the finding that they are a controller unsurprising. For other UGC platforms though, the Court makes it clear that much more limited processing activities can still make a platform a controller for GDPR purposes. A platform which hosts UGC and which "sets the parameters for the dissemination of advertisements likely to contain personal data depending on the recipients concerned, determines the presentation and duration of that dissemination or the headings structuring the information published, or even organises the classification which will determine the arrangements for such dissemination" exerts a sufficient influence to be a controller under the GDPR. Note these are each separately, in the Court's view, sufficient to make a platform a controller.
The judgment cites case law to the effect that a person will qualify as a controller where they influence the processing for their own purposes and adds that this may be the case when the operator of an online marketplace publishes the personal data concerned for commercial or advertising purposes which go beyond the simple provision of a service provided to the user placing the advert, eg where it is for its own advertising and commercial purposes rather than for those of the user placing the ad. The Court's analysis leaves us struggling to think of a UGC platform that would not qualify as a controller.
This aspect of the judgment should not come as a surprise – it is consistent with EU case law and EDPB guidance both of which establish a low bar for organisations being controllers because protection of the fundamental rights of individuals is paramount.
Once the controller bar is met, the full range of GDPR obligations will apply. This means the platform operator will need to identify special category personal data ahead of publication and verify that the data refers to the user placing the ad, or that a suitable lawful basis (and potentially an Article 9 GDPR exemption) applies. Platforms may want to consider adding or strengthening rules prohibiting special category content to facilitate compliance. By the same logic, in relation to non-special category data, an Article 6 lawful basis would be required, but the Court does not directly address that point.
Where operators are joint controllers, they will be required to agree their rights and responsibilities in accordance with Article 26 GDPR. This requires joint controllers to "determine their respective responsibilities for compliance" between them and we would expect platforms to seek to place some of the responsibility on the user uploading the ad.
This is most likely to be done in the operator's terms of use which could, for example, place any obligation to get user consent to processing special category data, and to keep a record of that consent, on the user uploading the content. This is already common practice in the B2B digital advertising context where personal data is used to target and measure online ads), but not for UGC more widely.
In practice, however, it might be that only the business running the platform is in a position to ensure ads are properly checked to ensure no special category data is included. This point is glossed over in the judgment but may be something platforms should consider when assessing the impact of this ruling.
Operators of platforms with user-generated content containing personal data may need to re-assess their role and whether they are controllers (or joint controllers) of that data under the GDPR in light of this judgment. If they are, they need to ensure they comply with GDPR requirements. It is important to get this right, as the judgment confirms that, where GDPR obligations or liability arise as controller or joint controller (and by implication, as processor), it will not be possible to rely on Articles 12-14 of the e-Commerce Directive/Articles 4-6, 8 DSA to avoid them.
