The ECJ ruling of 2 December 2025 (case reference: C-492/23) initially sounds like a special problem for lawyers. In fact, however, it relates in very practical terms to how online marketplaces and platforms must deal with user adverts if they contain personal data - such as photos, telephone numbers or other details that make a person identifiable. The starting point was an ad on a Romanian online marketplace that was published without the consent of the person concerned and was particularly sensitive because it conveyed intimate, stigmatising content.
At the heart of the case was the question of whether the platform operator is merely a „technical service provider“ that hosts third-party content, or whether it is itself responsible under data protection law? The ECJ's answer is clear: the operator of an online marketplace is the „controller“ within the meaning of the GDPR for the processing of personal data contained in user adverts. This applies in any case if the platform not only stores the data neutrally, but actively structures and commercially utilises the publication, for example by specifying the presentation, categorisation, duration and reach or through its own commercial purposes such as advertising. Precisely because the data is only „brought onto the Internet“ and made accessible to the public by the platform, it does not remain in a purely passive role.
What the ECJ derives from this is particularly far-reaching: For platforms, a mere „report-and-delete“ is not sufficient if their service typically harbours the risk of users posting sensitive data. The ECJ emphasises that data controllers must ensure the principles of lawful data processing and must therefore design technical and organisational measures in such a way that data protection violations are prevented as far as possible before publication. For „special categories“ of personal data (colloquially: sensitive data, such as data relating to sexual life), this means that publication is generally prohibited unless explicit consent or another narrowly defined exception pursuant to Art. 9 para. 2 GDPR has been obtained. Accordingly, the operator must provide processes that reliably safeguard these requirements before publication.
The ECJ links this to very specific compliance consequences. The judgement shows that the platform operator cannot simply close its eyes to the problem of consent in the case of an anonymous advertising system. If the platform and advertiser jointly enable publication, the platform operator must be able to collect the identity of the advertiser and verify it within a suitable framework in order to make the responsibilities and evidence (in particular regarding consent for sensitive data) practically manageable. Furthermore, the ECJ clarifies that the liability privileges of e-commerce law (and the logic of „no general monitoring obligation“) do not override the obligations arising from the GDPR. Responsibility under data protection law and the obligation to take appropriate protective measures exist independently of this.
In practice, this is a paradigm shift: operators of classifieds portals, marketplaces and platforms with user-generated adverts need to rethink their product and moderation architecture, moving away from purely reactive processes towards risk-based precautions „by design“. The more likely a service is to be at risk of abuse (e.g. personals, personalised services, adult categories), the more likely it is that identity checks, pre-filters, staged approvals, consent workflows and robust verification processes will be required. At the same time, the risk of liability and fines increases because those affected can no longer only take action against the anonymous advertiser, but also directly against the platform operator under data protection law.
Deutsch
English (UK)