Article 24 - Responsibility of the controller
4 preliminary rulingsJudgment of 2 Dec 2025, C-492/23 (Russmedia Digital and Inform Media Press) 
Article 5(2) and Articles 24 to 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)must be interpreted as meaning that the operator of an online marketplace, as controller, within the meaning of Article 4(7) of that regulation, of the personal data contained in advertisements published on its online marketplace, is required, before the publication of the advertisements and by means of appropriate technical and organisational measures,– to identify the advertisements that contain sensitive data in terms of Article 9(1) of that regulation,– to verify whether the user advertiser preparing to place such an advertisement is the person whose sensitive data appear in that advertisement and, if this is not the case,– to refuse publication of that advertisement, unless that user advertiser can demonstrate that the data subject has given his or her explicit consent to the data in question being published on that online marketplace, within the meaning of Article 9(2)(a), or that one of the other exceptions provided for in Article 9(2)(b) to (j) is satisfied.
Judgment of 25 Jan 2024, C-687/21 (MediaMarktSaturn)
Articles 5, 24, 32 and 82 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read together must be interpreted as meaning that in an action for compensation based on Article 82, the fact that the employees of the controller provided to an unauthorised third party in error a document containing personal data is not sufficient, in itself, to consider that the technical and organisational measures implemented by the controller at issue were not ‘appropriate’, within the meaning of Articles 24 and 32.
Judgment of 14 Dec 2023, C-340/21 (Natsionalna agentsia za prihodite)
Articles 24 and 32 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as meaning that unauthorised disclosure of personal data or unauthorised access to those data by a ‘third party’, within the meaning of Article 4(10) of that regulation, are not sufficient, in themselves, for it to be held that the technical and organisational measures implemented by the controller in question were not ‘appropriate’, within the meaning of Articles 24 and 32.
Judgment of 27 Oct 2022, C-129/21 (Proximus)
Article 5(2) and Article 24 of Regulation 2016/679 must be interpreted as meaning that a national supervisory authority may require that the provider of publicly available telephone directories and directory enquiry services, as controller, take appropriate technical and organisational measures to inform third-party controllers, namely the telephone service operator that has communicated its subscriber’s personal data to that provider and the other providers of publicly available telephone directories and directory enquiry services to which that provider has itself supplied such data, of the withdrawal of the subscriber’s consent.
