CJEU: online marketplace is a controller for advertisements containing personal data
In the Russmedia case (C 492/23), the EU Court of Justice (CJEU) ruled on 2 December 2025 that the operator of an online marketplace must be classified as a controller within the meaning of the General Data Protection Regulation (GDPR) for personal data in advertisements placed by users on the platform. The CJEU held that the operator and advertiser act as joint controllers when the operator exerts influence over the purpose of processing by making the platform available and by commercially operating it. The operator must implement appropriate technical and organisational measures before publication to identify advertisements containing special personal data, verify whether the advertiser is the data subject, and refuse publication if the data subject has not given explicit consent. The CJEU emphasised that, with regard to an infringement of those obligations, operators cannot rely on the liability exemptions for hosting services under the e-Commerce Directive (currently laid down in the Digital Services Act).
Limburg District Court: abuse of law in GDPR access request
In its judgment of 16 January 2026 (in Dutch), the Limburg District Court ruled that an administrative law application for a judicial review in a GDPR access case was inadmissible due to abuse of law. The claimant had requested access to emails exchanged between the Ministry of Foreign Affairs and the municipality of Nederweert, but the District Court concluded, on its own initiative (ex officio), that the request was mainly aimed at prolonging a conflict about his dismissal, which had been dragging on for years, rather than at exercising his rights under the GDPR. The District Court pointed out that the claimant had already been found to be abusing procedural law in previous judgments and that his grounds for requesting a judicial review did not target the grounds for refusal of the access request but aimed to demonstrate that the Minister had misinformed the Dutch House of Representatives. This judgment confirms that the authority to submit GDPR requests and applications for a judicial review must not be abused for purposes other than those intended.
Dutch DPA fines 10 municipalities over possession of investigation reports
On 5 February 2026, the Dutch Data Protection Authority (Dutch DPA) imposed a total fine of EUR 250,000 on 10 Dutch municipalities for processing sensitive personal data of Islamic residents (obtained from an independent investigation firm that they had hired). The municipalities in question are Delft, Ede, Eindhoven, Gooise Meren, Haarlemmermeer, Hilversum, Huizen, Tilburg, Veenendaal and Zoetermeer. They possessed reports containing personal data about Muslims’ religious convictions and political preferences without legal basis. The fines expressly pertain only to the possession and not to the performance of the investigation itself. The reports, drawn up by ‘force field analyses’, contain photographs, names, family details and personal profiles. The municipalities have acknowledged the violations and have taken steps to restore their relationship with the communities affected.
Dutch DPA criticises Tax Administration’s in-house developed applications: risks for citizens
On 13 February 2026, the Dutch DPA voiced serious criticism regarding the hundreds of ‘locally developed applications’ that the Tax Administration had built and used outside the regular IT frameworks. The website Security.nl reported this in a news item (in Dutch). According to the Dutch DPA, these applications do not sufficiently meet the GDPR’s privacy and security requirements: they provide no insight into the degree of compliance, 65% have an unchecked export option, fewer than half have undergone a risk analysis, and logging and monitoring are almost completely absent. This entails various risks for citizens. Their personal data may be retained longer than necessary, may be inadequately protected or may lead to wrong decisions due to outdated information. Outgoing State Secretary Heijnen has promised to draw up an action plan to reduce the number of applications and regularly inform the Dutch House of Representatives of progress.
Brazil adequacy decision for free movement of personal data
The European Commission (the Commission) has published an adequacy decision for Brazil under Article 45 of the GDPR, confirming that Brazil’s level of personal data protection is essentially equivalent to that of the European Union. On the same day, 26 January 2026, Brazil adopted a mutual adequacy decision for the EU. These agreements allow the free exchange of personal data between the EU and Brazil, without any additional instruments being required (such as standard contractual clauses). According to the Commission, this creates the largest area for safe cross-border data flows in the world, benefitting over 670 million people. The Commission will review its adequacy decision every four years. Organisations exchanging data with Brazil are advised to map their data flows and update existing data processing agreements and privacy policies.