Russmedia Digital (C-492/23): tightened controller responsibility for online platforms under the GDPR

1 min read • Simon • GDPR • 2 December 2025
  1. Controller status and joint controllership
  2. Special category data requires proactive controls
  3. Security and copying under Article 32
  4. Implications for platforms operating in Europe

The Court of Justice of the European Union’s judgment in Russmedia (C-492/23) tightens GDPR liability for operators of digital marketplaces and other online platforms, and is of particular relevance to GDPR lawyers. The Court holds that the platform operator is a controller for personal data in users’ advertisements – even where the platform has not itself created or selected the content.

Controller status and joint controllership

The decisive factor is that the advertisement becomes public through the platform and that the platform operator commercially exploits the personal data. In such circumstances, the platform and the advertiser will ordinarily be regarded as joint controllers under the GDPR.

Accordingly, the platform cannot characterise itself merely as a “technical intermediary” or as a processor. The responsibility encompasses, among other things, the accountability principle (Article 5(2)), Articles 24–26 and Article 32 on security.

Special category data requires proactive controls

For advertisements that may contain special category data under Article 9 GDPR, the judgment imposes clear ex ante requirements. Before such an advert is published, the platform operator must:

  • assess whether special category data is present (under Article 9(1) GDPR),
  • verify whether the advertiser is the data subject, and
  • if not, ensure that explicit consent or another basis under Article 9(2) exists.

If there is no lawful basis for the processing, the platform must refuse to publish the advert. The Court thereby clarifies that controller responsibility includes proactive identity checks and establishing a legal basis.

Security and copying under Article 32

Once special category data has been published, it can be rapidly copied and disseminated beyond the platform’s control. Against that backdrop, the Court links responsibility to Article 32 GDPR: platforms must implement appropriate technical and organisational measures to reduce the risk of copying, scraping and unauthorised republication.

Implications for platforms operating in Europe

For operators of buy-and-sell sites, job portals, housing platforms and similar services, the judgment means that user terms cannot “shift” responsibility onto users. The following measures are worth considering:

  • map out when the platform is (joint) controller,
  • embed gates and controls in the advert workflow, particularly for special category data,
  • update information, contracts and any joint controllership arrangements, and
  • strengthen security measures against copying and onward dissemination.

In summary, the Russmedia ruling signals that online platforms must take an active and documented responsibility for personal data in user-generated advertising content, especially where special category data may occur.

At Morling Consulting, our GDPR specialists support companies and organisations across Europe in interpreting new EU case law, analysing controllership and embedding GDPR compliance in products, contracts and internal processes.

12 December 2025

How to know when you need support from a commercial lawyer
Read more
The image shows three people in suits sitting and discussing a document.

9 December 2025

How the Anti-Money Laundering Act affects regulated financial activities
Read more
Contract lawyer coordinating and reviewing offer, LOI and final contract through email and digitally signed documents.

5 December 2025

A contract law attorney clarifies the boundary between an offer, a Letter of Intent and a contract
Read more