Judgment of the Court (Grand Chamber) of 2 December 2025 (request for a preliminary ruling from the Curtea de Apel Cluj – Romania) – X v Russmedia Digital SRL, Inform Media Press SRL

(Case C-492/23, (1) Russmedia Digital and Inform Media Press)

(Reference for a preliminary ruling - Protection of personal data - Regulation (EU) 2016/679 - Article 4(7) - Concept of ‘controller’ - Responsibility of the operator of an online marketplace for the publication of personal data contained in advertisements placed on its online marketplace by user advertisers - Article 5(2) - Principle of accountability - Article 26 - Joint control with user advertisers - Article 9(1) and (2)(a) - Advertisements containing sensitive data - Lawfulness of processing - Consent - Articles 24, 25 and 32 - Obligations of the controller - Prior identification of the advertisements containing such data - Prior identification of the identity of the user advertiser - Refusal of publication of unlawful advertisements - Security measures such as to prevent the copying of advertisements and their publication on other websites - Electronic commerce - Directive 2000/31/EC - Articles 12 to 15 - Possibility for such an operator, with regard to an infringement of those obligations, to rely on the exemption from liability of an intermediary information society service provider)

(C/2026/602)

Language of the case: Romanian

Referring court

Curtea de Apel Cluj

Parties to the main proceedings

Applicant: X

Defendants: Russmedia Digital SRL, Inform Media Press SRL

Operative part of the judgment

Article 5(2) and Articles 24 to 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that the operator of an online marketplace, as controller, within the meaning of Article 4(7) of that regulation, of the personal data contained in advertisements published on its online marketplace, is required, before the publication of the advertisements and by means of appropriate technical and organisational measures,

—	to identify the advertisements that contain sensitive data in terms of Article 9(1) of that regulation,

—	to verify whether the user advertiser preparing to place such an advertisement is the person whose sensitive data appear in that advertisement and, if this is not the case,

—

to refuse publication of that advertisement, unless that user advertiser can demonstrate that the data subject has given his or her explicit consent to the data in question being published on that online marketplace, within the meaning of Article 9(2)(a), or that one of the other exceptions provided for in Article 9(2)(b) to (j) is satisfied.

Article 32 of Regulation 2016/679

must be interpreted as meaning that the operator of an online marketplace, as controller, within the meaning of Article 4(7) of that regulation, of the personal data contained in advertisements published on its online marketplace, is required to implement appropriate technical and organisational security measures in order to prevent advertisements published there and containing sensitive data, in terms of Article 9(1) of that regulation, from being copied and unlawfully published on other websites.

Article 1(5)(b) of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) and Article 2(4) of Regulation 2016/679

must be interpreted as meaning that the operator of an online marketplace, as controller, within the meaning of Article 4(7) of Regulation 2016/679, of the personal data contained in advertisements published on its online marketplace, cannot rely, in respect of an infringement of the obligations arising from Article 5(2) and Articles 24 to 26 and 32 of that regulation, on Articles 12 to 15 of that directive, relating to the liability of intermediary providers.

(1) OJ C, C/2023/1126.