An online marketplace operator that is the controller of the personal data in advertisements published on its marketplace cannot rely on Articles 12 to 15 of Directive 2000/31 on the liability of intermediary providers in relation to an infringement of its obligations under Article 5(2), Articles 24 to 26, and Article 32 of Regulation 2016/679.

A sectoral organisation is a joint controller where it offers its members a consent framework that it has established, containing binding technical rules and detailed rules on the storage and dissemination of personal data relating to that consent, and where, in the circumstances of the case, it influences the processing at issue for its own purposes and thereby determines, jointly with its members, the purposes and means of that processing. It can be a joint controller even if it does not itself have direct access to the personal data processed by its members under those rules. That joint controllership does not automatically extend to later processing by third parties, such as website or application providers, of users' preferences for targeted online advertising.

Two entities may be joint controllers under Article 4(7) and Article 26(1) even without an arrangement between them on the purposes and means of the processing, and even without an arrangement laying down the terms of their joint control.

A controller's failure to comply with Articles 26 or 30 of Regulation 2016/679 does not by itself make the processing unlawful or give the data subject a right to erasure under Article 17(1)(d) or restriction under Article 18(1)(b). That remains so provided that the failure does not, as such, amount to an infringement of the principle of accountability in Article 5(2), read with Article 5(1)(a) and the first subparagraph of Article 6(1).

Where a controller has failed to comply with Articles 26 or 30 of Regulation 2016/679, EU law does not make a national court's lawful use of that data depend on the data subject's consent.