In the first part of this series, we examined the Russmedia judgment and clarified the resulting obligations: concrete ex-ante review requirements for sensitive personal data within the meaning of Article 9 GDPR, structured identity management, content screening, and a functioning risk management system. Time is of the essence. Enforcement by supervisory authorities is expected to begin within three to six months.
The focus now shifts to practical implementation: which steps must be initiated before data protection authorities begin enforcement?
Start with analysis and quick wins. Perfection is not yet achievable, but inaction is not an option. Companies that move early will gain a clear competitive advantage once regulatory scrutiny intensifies.
The three core measures
1. Introduce identity management
In the future, publishers must know precisely who is publishing content or advertisements on their platforms. Anonymous publishing is no longer permissible.
In practical terms, this means implementing a reliable identity verification system. This can range from plausibility checks such as verifying date of birth and address to full document verification. In closed environments, such as retail media networks, registration with pre-verified advertisers may be sufficient.
2. Review content prior to publication
Going forward, every piece of content must be reviewed before publication to determine whether it contains sensitive data within the meaning of Article 9 GDPR. This does not require an absolute guarantee, but a documented best-effort review using available technical means.
Measures may include upload filters for sensitive data, AI-supported screening systems, or standardized pre-publication workflows. The objective is to prevent the unlawful dissemination of sensitive information to the greatest extent technically possible.
3. Establish a risk management system
Without a documented risk management framework, it will be difficult to demonstrate compliance with due diligence obligations. Publishers must structure their data protection processes in line with recognized standards, such as the Plan-Do-Check-Act cycle, conduct regular data protection impact assessments, and document all procedures in a transparent and verifiable manner.
In the event of a dispute, the burden of proof lies with the publisher. Contracts with partners alone are not sufficient. What matters are robust technical and organizational measures that can withstand regulatory scrutiny.
Programmatic advertising: between efficiency and compliance
Programmatic advertising enables the automated trading of ad inventory within milliseconds. Yet this very speed creates a structural challenge. The new review obligations are difficult to reconcile with systems that interact in real time with thousands of partners.
One measure that currently proves workable is reducing the number of partners involved. Working with 50 partners instead of 800 can deliver comparable performance and similar revenue, while significantly lowering compliance risk. In addition, publishers should strictly limit the purposes and data categories included in bid requests and apply rigorous data minimization to avoid unnecessary data transfers.
What is no longer viable, however, is standard programmatic advertising in its current form. The industry now faces the task of developing new technical standards.
Joint controllership: the legal consequence
Recent court decisions, including rulings from Cologne and Frankfurt, make it clear that publishers do not bear responsibility alone. They are considered joint controllers together with all participants in the programmatic chain:
- ad servers
- DSPs, SSPs, and DMPs
- ad exchanges
In practical terms, this means that an agreement pursuant to Article 26 GDPR is required with each partner. This process is complex and long term. Publishers should therefore begin with their most important partners and gradually extend the framework to others.
Consent management: rising requirements
A simple “accept all” button will no longer be sufficient where sensitive data is processed. For data within the scope of Article 9 GDPR, explicit and separate consent is required. One possible approach could be a two-banner model, with one banner covering ordinary data and another addressing sensitive categories. While this may complicate the user experience, it could represent the legally safer option.
Technical solutions are also emerging. One example is the patented Twin Server developed by JENTIS, which intercepts the original server request, processes it in parallel, and forwards only neutralized data. Further details on Article 9 GDPR can be found here.
Your immediate implementation plan
1. Analysis
- Identify data flows involving Article 9 data
- Map all third-party publishers and recipients
- Document existing technical and organizational measures
2. Quick wins
- Introduce identity verification for new publishers
- Reduce the number of programmatic partners
- Evaluate initial screening tools
Month 3: Systems
- Establish a structured risk management system
- Implement screening workflows
- Initiate Article 26 GDPR agreements with key partners
Strategic perspective
Who stands to benefit
- Publishers with established editorial processes, who often already have identity management and human review mechanisms in place
- Early adopters of compliance-driven solutions
- Companies that view compliance as a driver of innovation rather than a burden
Who may face challenges
- Platforms operating purely on a user-generated content model
- Programmatic providers lacking standardized frameworks
- Smaller players without the resources to build a robust compliance infrastructure
The reality is clear: programmatic advertising in its current form will have to undergo fundamental change. The question is not whether transformation will occur, but how quickly and how radically it will unfold.
About the webinar
This article is based on a webinar featuring legal expert Tilman Herbrich of Spirit Legal, who analyzed the practical implications of the Russmedia Ruling for publishers and AdTech companies.
.webp)
.webp)
_compressed.webp)
