IP case law Court of Justice

Accountability

Home > Personal Data Protection > General Data Protection Regulation (GDPR) > Article 5 - Principles relating to processing of personal data > Accountability
3 preliminary rulings

Judgment of 2 Dec 2025, C-492/23 (Russmedia Digital and Inform Media Press)

Article 5(2) and Articles 24 to 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)must be interpreted as meaning that the operator of an online marketplace, as controller, within the meaning of Article 4(7) of that regulation, of the personal data contained in advertisements published on its online marketplace, is required, before the publication of the advertisements and by means of appropriate technical and organisational measures,–   to identify the advertisements that contain sensitive data in terms of Article 9(1) of that regulation,–   to verify whether the user advertiser preparing to place such an advertisement is the person whose sensitive data appear in that advertisement and, if this is not the case,–   to refuse publication of that advertisement, unless that user advertiser can demonstrate that the data subject has given his or her explicit consent to the data in question being published on that online marketplace, within the meaning of Article 9(2)(a), or that one of the other exceptions provided for in Article 9(2)(b) to (j) is satisfied.

Judgment of 14 Dec 2023, C-340/21 (Natsionalna agentsia za prihodite)

The principle of accountability of the controller, set out in Article 5(2) of Regulation 2016/679 and given expression in Article 24 thereof, must be interpreted as meaning that, in an action for damages under Article 82 of that regulation, the controller in question bears the burden of proving that the security measures implemented by it are appropriate pursuant to Article 32 of that regulation.  

Judgment of 24 Feb 2022, C-175/20 (Valsts ieņēmumu dienests)

The provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as meaning that the collection by the tax authorities of a Member State from an economic operator of information involving a significant amount of personal data is subject to the requirements of that regulation, in particular those set out in Article 5(1) thereof.  



Disclaimer

Powered by