CJEU: Advertising platforms are responsible for the personal data published by users. The case originated in Romania.
Brussels, December 2, 2025 The Court of Justice of the European Union has established that operators of advertising platforms are responsible for the protection of personal data published in the advertisements uploaded by users, being considered "data operators" in the sense of GDPR. The ruling requires marketplaces to adopt proactive measures to verify the identity of the data subject and to confirm explicit consent, as well as to prevent unauthorized republishing of advertisements on other sites. The decision is of major relevance for the market in Romania, as the case originated from the publication of a false advertisement on a Romanian platform.
In short
CJUE establishes that advertising platforms are "data operators" in the sense of GDPR and bear direct responsibility.
Platforms must verify the identity and consent of the data subject before publishing the advertisement.
The case originates from Romania, where a woman's data was used in a false advertisement and redistributed on other sites.
The case reached the CJUE after a woman from Romania discovered that her photographs and phone number had been used in an advertisement published on an online advertising platform, without her consent. The advertisement was subsequently automatically copied and redistributed on other sites, amplifying the harm. Although she won in the first instance, the appellate court raised questions regarding the responsibility of the platform operator and referred the case for clarification to the Court of Justice.
The Court decided that a marketplace that allows users to publish advertisements actively processes the personal data included in those advertisements. Therefore, the platform cannot be treated as a mere technical intermediary and cannot invoke the "safe harbour" regime from the e-commerce directive. In the view of the CJUE, the operator of the advertisements has the obligation to analyze whether the data included belongs to the person publishing the advertisement, whether the data subject has given their consent, and whether the information does not fall into the category of sensitive data protected by Article 9 of the GDPR.
The ruling also introduces an additional obligation: platforms must implement technical measures to prevent unauthorized copying and redistribution of advertisements – an aspect with major impact in Romania, where many advertising sites are included in automated aggregation networks.
The CJUE decision has direct implications for all Romanian advertising platforms, especially those that allow the publication of user-generated content in an unfiltered manner. Operators will need to review and update their internal procedures, verify the identity of users in high-risk situations, ensure traceability of consent, and implement anti-scraping technical barriers. For users, the ruling provides a clear framework for protection when their data is abusively used in false advertisements.
The CJUE ruling becomes mandatory for courts in Romania and all EU member states. The case now returns to the Romanian court for a substantive resolution, in accordance with the legal interpretation established by the Court.
.webp)
