Liability of Online Classified Platforms: The CJEU Qualifies the Operator as “Data Controller” for an Unlawful Publication Containing Sensitive Data

On 2 December 2025, the Court of Justice of the European Union issued a significant ruling on the protection of personal data applicable to online classified platforms. The Court adopts an extensive interpretation of the notion of data controller under the GDPR and clarifies the resulting obligations of diligence and prior verification imposed on such operators when a publication is likely to contain sensitive data, particularly of a sexual nature. This judgment marks an important development in the regulation of digital spaces hosting user-generated content.

‍

1. Facts and Legal Framework: Publication of a Defamatory Announcement Disclosing Sensitive Data

A Romanian platform operated by Russmedia allowed anonymous users to publish classified listings online. One such listing falsely claimed that the claimant offered sexual services and included sensitive personal data, such as photographs and her phone number.

The claimant sought compensation under the GDPR, arguing that the operator not only enabled the publication but also stored, organised, analysed and disseminated the data, thereby demonstrating its direct involvement in the processing.

The referring court asked the CJEU two key questions:

• whether the platform should be considered a data controller, despite the user-generated origin of the content;
• whether the operator could invoke the liability exemption regime applicable to hosting providers under Directive 2000/31/EC.

‍

2. Qualification as Data Controller: a Decisive Role in Publication Justifies Liability

The Court recalls that the data controller is the party determining the purposes and means of the processing. Even if the listing was created by a user, the platform determines the essential modalities of publication, as it:

• hosts the content;
• makes it accessible to the public;
• sets the conditions for retention, modification and deletion;
• benefits contractually from rights of exploitation, reproduction and transmission of the listings.

The Court concludes that control over the means of dissemination is sufficient to qualify the operator as data controller, even where the platform does not participate in drafting the content.

‍

3. Prohibition on Publishing Sensitive Data Without Prior Control: A Duty of Ex Ante Prevention

The contested listing contained data falling within Article 9(1) GDPR (sexual life). The Court holds that the platform must anticipate the possibility of such publications and implement filtering and technical measures prior to publication, in particular when sexual or sensitive data may be posted on the service.

This obligation derives notably from Article 25 GDPR (“data protection by design and by default”) as well as from the principles protecting dignity, reputation and privacy. The CJEU therefore imposes a mandatory ex ante control of sensitive data, rejecting any system based solely on removal following a notification.

‍

4. Inapplicability of the Hosting Exemption Regime: GDPR Prevails

The Court rejects reliance on Article 14 of Directive 2000/31/EC on the grounds that the hosting exemption regime does not apply to an operator qualified as data controller. In this respect, the GDPR prevails.

This reasoning is based on the primacy of fundamental rights, the objective of preventing impunity for anonymous publications, and the need to protect individuals from the non-consensual disclosure of sensitive data.

‍

Conclusion: A Strengthened Proactive Responsibility for Classified Platforms

The ruling imposes a proactive responsibility on online classified platforms, requiring technical and organisational prevention measures before any publication likely to contain sensitive data. It paves the way for a general obligation of prior control in digital spaces hosting user-generated content.