Data Protection Inside, Issue 145

11. Dezember 2025  |   von DPI Editorial Team

-CJEU Clarifies Intermediaries’ Data Protection Responsibilities-

On 2nd December, the CJEU ruled that the operator of an online marketplace must ensure that the publication of advertisements which contain sensitive personal data complies with various provisions of the GDPR and that the E-Commerce Directive does not waive GDPR responsibilities in X v Russmedia Digital SRL. As to the facts of the case, an anonymous internet user published on Russmedia, an online marketplace, a picture of a lady (the applicant in the main proceedings), claiming that she offers sex services. The advertisement was copied by other websites. As soon as the applicant learned of the advertisement, she contacted Russmedia, which took down the advertisement from its website within an hour. The advertisement, however, remained on the other websites. The applicant challenged the legality of the original publication and its further distribution. The dispute reached the CJEU with several preliminary ruling questions concerning the responsibility of Russmedia under the GDPR for the legality of the processing of personal data contained in advertisements published on its website. Before answering the individual questions, the CJEU clarified that Russmedia should be considered to be a controller for the processing of personal data on the advertisements published on its website as it ‘exerted influence, for its own purposes, over the publication on the internet of the personal data of the applicant in the main proceedings and therefore participated in the determination of the purposes of that publication and thus of the processing at issue’. Then, the Court recalled that the controller is responsible for complying with the requirements of the GDPR. The Court established that, in casu, this means that: (1) stemming from its accountability obligations, Russmedia was supposed ‘to identify the advertisements that contain sensitive data in terms of Article 9(1) of the GDPR’, before such advertisements are published, by implementing appropriate TOMs; (2) ‘to verify whether the user advertiser preparing to place such an advertisement is the person whose sensitive data appear in that advertisement and, if this is not the case’; (3) ‘to refuse publication of that advertisement, unless that user advertiser can demonstrate that the data subject has given his or her explicit consent to the data in question being published on that online marketplace, within the meaning of Article 9(2)(a), or that one of the other exceptions provided for in Article 9(2)(b) to (j) is satisfied’. With regards to the responsibilities of Russmedia in relation to the further coping of the advertisement by other websites, the CJEU held that the security requirements in Article 32 GDPR ‘must be interpreted as meaning that the operator of an online marketplace…is required to implement appropriate technical and organisational security measures in order to prevent advertisements published there and containing sensitive data, in terms of Article 9(1)…from being copied and unlawfully published on other websites’. Finally, the CJEU held that the provisions of the E-Commerce Directive do not waive the responsibilities of the controller under the GDPR.

-ECtHR Considers States’ Positive Obligations in relation to Use of Personal Data in a Discrimination Claim-

On 4th December, the ECtHR ruled in the case of Ortega Ortega v. Spain. In terms of the facts relating to data protection, the case essentially concerned a manager at a company, who used personal data concerning other employees’ salaries as the basis for a discrimination claim based on sex. Whilst the claim was successful, the company subsequently dismissed the applicant for breaches of confidentiality and data protection law relating to the use of this personal data. This led to a series of decisions before the national courts in which the decision to dismiss the applicant was upheld, despite the applicant’s assertion that this decision was taken as a form of reprisal for the original discrimination proceedings. In this regard, the applicant appealed to the ECtHR ‘that the domestic courts, by upholding her dismissal, had failed to protect her against retaliation for her successful complaint of discrimination based on sex’. Whilst the applicant ‘relied on Articles 6 and 14 of the Convention’, the Court considered, in light of ‘its case-law and the nature of the applicant’s complaint’ and ‘being the master of the characterisation to be given in law to the facts of a case’, that ‘the issues raised should be addressed from the perspective of Article 14 of the Convention, taken in conjunction with Article 8’ – i.e. from the perspective of the right to the protection from discrimination in conjunction with the right to respect for private and family life. In this regard, the Court found a violation. The Court began its reasoning by highlighting states’ positive obligations under Articles 14 and 8. In this regard, the Court highlighted ‘that the States’ positive obligations under Article 14 in conjunction with Article 8…require them to ensure real and effective protection against any form of reprisal by employers in connection with complaints brought to ensure respect of the right not to be discriminated against on grounds of sex… Therefore, where the domestic courts are called to rule on measures allegedly taken by an employer in retaliation against the exercise of the right not to be discriminated against on grounds of sex, they…must have due regard to the allegedly retaliatory nature of the impugned measure and the context and carefully balance the relevant interests at stake, providing relevant and sufficient reasons to justify their decisions’. The Court finally concluded, considering the specific decisions of the national courts in relation to the case, that ‘the domestic courts upheld the applicant’s dismissal by applying a defective approach, not compatible with the positive obligations regarding protection against discrimination. The dismissal had the effect of negating the protection against discrimination afforded in the separate anti-discrimination proceedings; the domestic courts did not engage with this consequence. Furthermore, they failed to give sufficient weight to relevant elements such as the context of persistent sexual discrimination to which the applicant had been subjected, the repeated failure by the company to react to the applicant’s attempts to end it via internal means, the purpose of the disclosure of private information, the limited impact of such disclosure, and the severity of the measure taken against the applicant, which could be indicative of a retaliatory motive’. The Court thus considered ‘that the reasons given by the domestic courts to uphold the applicant’s dismissal were not sufficient in the circumstances of the…case’.

-EDPB Publications-

Over the past two weeks, the EDPB has published the following important documents:

• ‘Recommendations 2/2025 on the legal basis for requiring the creation of user accounts on e-commerce websites’.

Über

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Hinterlasse eine Antwort

Zurück zur Übersicht