Home » Comunicat_Presa_12.12.2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

12.12.2025

CJEU judgment in case C-492/23 Russmedia (Publi24)

 

The Court of Justice of the European Union ruled in Case C-492/23 Russmedia (Publi24) and decided that the operator of an online marketplace is, on the basis of Regulation (EU) 2016/679, a controller of personal data contained in advertisements published on its platform. It must therefore identify, before publication, the advertisements containing sensitive data and verify whether the author of the advertisement is indeed the person whose data appears in the advertisement or whether it has received the explicit consent of that person.

Russmedia Digital is the owner of the website www.publi24.ro. This website is an online marketplace where advertisements can be published, free of charge or for a fee. The advertisements concern, among other things, the sale of goods or the provision of services in Romania.

In the case that was the subject of the CJEU ruling, the factual situation consisted in the fact that on 1 August 2018, an unidentified person published a message on this website stating that a woman was offering sexual services. The message contained photographs of her, used without her consent, as well as her telephone number. The woman reported that the ad was false and harmful, requesting the owner of the publi24.ro website to withdraw it. The owner complied with the request and removed the posting. However, the ad in question had already been taken over and disseminated on other websites, where it remained accessible. In these circumstances, considering that the ad violated her right to image, honour and good reputation, as well as to private life, and the rules relating to the processing of personal data, the woman brought the matter before the Romanian courts.

The Cluj-Napoca Court ruled in favour of the plaintiff and ordered Russmedia Digital to pay her 7,000 euros in moral damages, but on appeal, the Cluj Court of Appeal exonerated the company from liability, classifying it as a simple provider of storage-hosting services, which is not responsible for the content published by its users.

The applicant appealed to the Cluj Court of Appeal, which decided to refer the matter to the Court of Justice for clarification on the interpretation of Union law, in particular on the obligations of the controller of an online marketplace under Regulation (EU) 2016/679, as well as on whether it can evade those obligations on the basis of the liability exemption provided for in Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (the e-commerce directive) for providers of information society services.

In its judgment, the CJEU ruled that Russmedia Digital is a controller, within the meaning of Regulation (EU) 2016/679, in respect of personal data contained in advertisements published on its online marketplace.

Thus, the controller of an online marketplace must, before publishing such advertisements and by means of appropriate technical and organisational measures, identify those containing sensitive data (such as those at issue in C-492/23) and verify whether the user who is about to place such an advertisement is the person whose sensitive data appear in it. The controller of an online marketplace must verify whether the person whose data are published has given his explicit consent to the publication. In the absence of such consent, it must refuse to publish the advertisement in question, unless it falls under one of the other exceptions to the lawfulness of processing provided for in Article 9 of Regulation (EU) 2016/679.

The controller of an online marketplace must also make every effort to prevent the unlawful copying and publication on other websites of advertisements containing sensitive data published on its website. To this end, it must implement appropriate technical and organisational security measures within the meaning of Article 32 of the GDPR.

The CJEU also stated that the controller of an online marketplace cannot evade its obligations under Regulation (EU) 2016/679.

Thus, the CJEU ruled that:

„1) Article 5 paragraph (2) and Articles 24 to 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 

must be interpreted as meaning that

the operator of an online marketplace, as controller, within the meaning of Article 4 point (7) of that regulation, of the personal data contained in advertisements published on its online marketplace, is required, before the publication of the advertisements and by means of appropriate technical and organisational measures,

  • to identify the advertisements that contain sensitive data in terms of Article 9(1) of that regulation,
  • to verify whether the user advertiser preparing to place such an advertisement is the person whose sensitive data appear in that advertisement and, if this is not the case,
  • to refuse publication of that advertisement, unless that user advertiser can demonstrate that the data subject has given his or her explicit consent to the data in question being published on that online marketplace, within the meaning of Article 9(2)(a), or that one of the other exceptions provided for in Article 9(2)(b) to (j) is satisfied.

2) Article 32 of Regulation 2016/679

must be interpreted as meaning that

the operator of an online marketplace, as controller, within the meaning of Article 4 point (7) of that regulation, of the personal data contained in advertisements published on its online marketplace, is required to implement appropriate technical and organisational security measures in order to prevent advertisements published there and containing sensitive data, in terms of Article 9(1) of that regulation, from being copied and unlawfully published on other websites.

3) Article 1(5)(b) of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’), and Article 2(4) of Regulation 2016/679,

must be interpreted as meaning that

the operator of an online marketplace, as controller, within the meaning of Article 4(7) of Regulation 2016/679, of the personal data contained in advertisements published on its online marketplace, cannot rely, in respect of an infringement of the obligations arising from Article 5(2) and Articles 24 to 26 and 32 of that regulation, on Articles 12 to 15 of that directive, relating to the liability of intermediary providers.”

In the same sense, the opinion of the National Supervisory Authority for the Processing of Personal Data was previously expressed, transmitted on 01.11.2023 to the Ministry of Foreign Affairs – Government Agent of the CJEU, in order to formulate Romania’s position, prior to the ruling of this case.

Thus, ANSPDCP highlighted, among other things, that “(...) the provider of hosting information society services who is also a personal data controller and processes data posted by (users) recipients of hosting information society services must comply with the GDPR and, among other things, take all necessary and sufficient due diligence and implement appropriate technical and organizational measures, in order to ensure a level of security appropriate to the risk of security breaches and loss of confidentiality of data subjects (e.g. by implementing technical and organizational mechanisms that allow it to verify, prior to posting an advertisement, whether there is identity between the person posting the advertisement and the owner of the personal data to which the advertisement refers or to verify in advance the content of advertisements sent by users, in order to eliminate those that are potentially illicit or that may affect a person’s private and family life).

The Court's judgment can be consulted in full using the following link:

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:62023CJ0492

 

Legal and Communication Department

A.N.S.P.D.C.P