On 2 December 2025, the Court of Justice of the European Union delivered an important judgment (Russmedia, C-492/23) on the responsibility of online platforms for advertisements containing personal data. The ruling shows that platforms may have far-reaching obligations under the General Data Protection Regulation (“GDPR”) when processing such personal data.

On a Romanian online marketplace of Russmedia, an advertisement was posted in which a woman was presented as offering sexual services without her consent, including her photos and phone number. Although the platform quickly removed the advertisement after the woman complained, it had already been spread via other websites. The woman subsequently held the platform liable for (inter alia) the unlawful processing of her personal data.

The Court held that, in certain circumstances, a platform operator may qualify as a (joint) controller under the GDPR for personal data contained in advertisements posted by users, for example where the platform organizes the publication, determines parameters for dissemination, or has extensive (commercial) usage rights regarding the content. This qualification may have significant consequences. According to the Court, in that case a platform must, through appropriate technical and organizational measures, verify before publication whether advertisements contain sensitive personal data and, if so, check whether the advertiser is the data subject or has obtained the data subject’s explicit consent. If such consent cannot be demonstrated, the platform must refuse publication and implement appropriate technical measures to limit further dissemination. The Court also clarifies that platforms cannot rely on the hosting liability exemptions under the Digital Services Act (“DSA”) where they fail to comply with their obligations under the GDPR.

For victims of the misuse of their personal data, for example in cases involving deepfakes or the unauthorized use of photos in advertisements, the judgment provides additional protection: in certain cases they may also hold the platform itself liable as a (joint) controller under the GDPR. For platforms, the emphasis may shift from a reactive notice-and-takedown model to more preventive control measures, such as checks before advertisements are uploaded and verification of users’ identities. At the same time, this may create tension with the position of platforms under the DSA, as active content review may raise the question whether a platform still plays a sufficiently neutral role to rely on the hosting liability exemptions under the DSA (in relation to content that is unlawful for reasons other than a breach of the GDPR). How the relationship between GDPR obligations and the DSA safe harbors will be interpreted will need to be clarified in future case law. In any event, platforms would be well advised to (re)assess their functioning, verification, and moderation processes in light of this ruling.