With its judgment in C492/23, the CJEU has set clear boundaries for online marketplaces. Platforms that publish advertisements are processing personal data and are responsible for that processing – even when the content originates from users.
The case concerned an advert on a Romanian platform that used a woman’s photos and phone number without consent and falsely claimed she offered sexual services. Although the platform removed the advert quickly, the content had already been copied and republished on thirdparty sites. Following inconsistent national court decisions, the appellate court referred questions to the CJEU regarding the interpretation of GDPR duties and the interplay with the ECommerce Directive.
The Court requires platform operators to carry out effective gatekeeping. Before publication, platforms must detect sensitive data in adverts and verify the advertiser’s identity. If an advert contains personal data relating to a third party, the operator must obtain explicit consent or rely on a GDPR exemption – otherwise, the advert cannot be published. Data concerning a person’s sex life is subject to particularly strict rules, and its processing is generally prohibited.
Operators must also implement reasonable technical and organisational measures to prevent unlawful copying and onward dissemination of sensitive adverts – for example, protection against automated scraping and systematic monitoring of reuploads.
A key point is the distinction from ECommerce law: the liability exemptions under Directive 2000/31/EC do not override data protection obligations. Operators cannot claim to be “mere hosts”.
For businesses, this creates an immediate need for action: prepublication checks, identity verification, consent and evidence management, and firmwide TOMs to prevent further dissemination are now essential.
We are happy to support you in implementing these requirements in a pragmatic, scalable and auditproof way — turning compliance into a competitive advantage.
