The Digital Services Act (DSA) and the General Data Protection Regulation (GDPR) are two key frameworks in the EU digital legal landscape. While they regulate distinct areas, platform responsibility under the DSA and personal data protection under the GDPR, their interplay is crucial for intermediary service providers operating in the EU.
This article, based on the EDPB’s Guidelines 3/2025, outlines how both instruments must be applied in a compatible manner, ensuring consistency, legal certainty, and a high level of fundamental rights protection. Note that the guidelines are not yet final and subject to a public consultation.
Interplay Between the DSA and the GDPR
The relationship between the DSA and GDPR is foundational. Understanding how the two frameworks interact is critical for their applications. In the guidelines, the EDPB highlights the following:
- Complementarity: The DSA and GDPR pursue different but complementary objectives. The DSA focuses on a safe and trusted online environment and fundamental rights, while the GDPR aims to protect individuals with regard to personal data processing.
- Not derogatory: The DSA is not a lex specialis that derogates from the GDPR.
As a consequence, it is clear that the DSA does not derogate, as lex specialis, from the general rules on the processing of personal data under the GDPR nor the rules that particularise the GDPR with respect to the processing of personal data in the electronic communication sector under the ePrivacy Directive (Para. 9 of the Guidelines)
- Consistent Application: Both regulations must be applied compatibly to ensure legal certainty for service providers and protect data subjects' rights. Where DSA provisions impact personal data processing and refer to GDPR concepts (e.g., 'profiling,' 'special categories of data'), they must be read consistently with GDPR and the ePrivacy Directive.
- Maintaining High Protection Levels: A consistent interpretation "should not lead to lowering the level of protection of the fundamental rights to privacy and data protection as enshrined in primary and secondary EU law."
Content Moderation and Illegal Content (Article 7 DSA)
DSA obligations around detecting and removing illegal content often involve processing personal data, including by employing machine learning. These actions must fully comply with GDPR requirements.
- Legal bases for processing include:
- Article 6(1)(f) GDPR – legitimate interest (for voluntary moderation)
- Article 6(1)(c) GDPR – legal obligation (e.g., Copyright Directive, data subject's right to erasure)
- If decisions are made solely by automated means and significantly affect users, Article 22 GDPR applies.
- Intermediary service providers must:
- Provide clear information under Articles 13–14 GDPR
- Conduct a DPIA as voluntary or mandatory actions under Article 7 DSA are likely to require a Data Protection Impact Assessment (DPIA) due to criteria like evaluation/scoring, automated decision-making with significant effects, and systematic monitoring.
Notice and Action & Complaint Handling (Articles 16, 17, 20, 23 DSA)
These mechanisms involve processing personal data of the notifier and affected recipients.
- Hosting providers are data controllers when processing notifier or recipient data.
- Data minimization is essential—only the information required under Article 16(2) DSA should be collected. Identification of the notifier should not be required unless "necessary to determine whether the information in question constitutes illegal content."
- If the notifier’s identity must be disclosed to the affected recipient (e.g., for intellectual property rights), this must be justified and transparently communicated to the notifier.
- Use of automated means for notice processing or decisions must be disclosed.
- Complaint decisions must involve qualified human oversight, not solely automation.
Deceptive Design Patterns (Article 25 DSA)
The DSA prohibits interface designs that mislead or manipulate users. Deceptive design patterns are covered by the GDPR if "personal data is being processed and whether the data subject’s behaviour that the pattern is influencing relates to the processing of personal data."
- Practices that are unfair, unexpected, or misleading are likely to breach the GDPR’s fairness principle.
- Techniques that encourage addictive behavior (e.g. infinite scroll, gamification) are identified as systemic risks and may involve processing personal data, influencing user behavior in the context of personal data processing.
Advertising Transparency & Profiling (Article 26 DSA)
Article 26 DSA requirements are "without prejudice to the GDPR," specifically regarding consent, the right to object, and automated individual decision-making, and "without prejudice to the provisions in the ePrivacy Directive," for data storage and access.
- Real-time ad disclosures are required under the DSA; GDPR transparency obligations apply at the time personal data is obtained .
- Profiling based on special categories of data is prohibited under both the DSA and Article 9(1) GDPR. This DSA prohibition complements Article 9(2) and Article 22(4) GDPR. It applies even if a provider has an appropriate legal basis under Article 6(1) GDPR and a derogation under Article 9(2) GDPR for processing special categories of data.
- Implementing advertising transparency must not lead to increased collection or sharing of personal data with intermediaries.
Recommender Systems (Articles 27, 38 DSA)
Recommender systems, especially when personalised, raise specific GDPR compliance risks, including large-scale processing, lack of accuracy and transparency, and processing of special categories of data. VLOPs and VLOSEs face stricter requirements.
- Behavioral analysis for prediction is a "profiling activity" under Article 4(4) GDPR.
- The presentation of specific content via a recommender system "cannot be excluded" from being a 'decision' under Article 22(1) GDPR, especially "when they can have serious consequences for individuals." (Para. 84) This includes economic or social impacts, or influencing behavior/choices with prolonged effect (e.g., housing or job offers).
- Providers must:
- Explain the main parameters behind content ranking. If multiple options exist, allow users to "select and modify their preferred option"
- Offer at least one non-profiling-based option (mandatory for VLOPs/VLOSEs). Ensure user choice is respected and not nudged toward profiling
- Not store user choices related to recommender system parameters beyond what is necessary to comply with the DSA
Protection of Minors (Article 28 DSA)
The DSA introduces specific obligations for platforms likely to be accessed by minors. These must be balanced with GDPR principles.
Compliance with the obligations set out in this Article shall not oblige providers of online platforms to process additional personal data in order to assess whether the recipient of the service is a minor (Article 28 DSA)
- Online platforms must implement appropriate and proportionate measures to protect minors’ privacy and safety.
- Providers should avoid age assurance mechanisms that enable unambiguous online identification of their users (e.g., by asking them to submit proof of their identification via government-issued ID) on the basis of Article 28 DSA alone
- Platforms must not deliver profiling-based advertising when they are aware "with reasonable certainty" that the user is a minor.
Risk Assessments and Mitigation (Articles 34–35 DSA)
VLOPs and VLOSEs must manage systemic risks, including those related to data protection and privacy.
- Risks to Articles 7 and 8 of the EU Charter (privacy and data protection) must be identified and mitigated.
- Where high-risk processing is involved, a DPIA under Article 35 GDPR is likely required.
- Mitigation measures may include:
- Adapting platform design or features
- Testing algorithmic or adapting advertising systems
- Communicating clearly with users
Enforcement and Regulatory Cooperation
Effective application of the DSA and GDPR relies on coordinated oversight among EU regulators.
- Digital Services Coordinators (DSCs) and Data Protection Authorities (DPAs) must cooperate, especially where obligations overlap.
- The duty of sincere cooperation (Article 4(3) TEU) applies across enforcement bodies.
- The European Board for Digital Services (EBDS) and European Data Protection Board (EDPB) are expected to collaborate to ensure consistency in regulatory interpretation.
Key Takeaways for Platforms
Compliance with both the DSA and GDPR is essential. Platforms should:
- Ensure all DSA-related processing has a valid legal basis under GDPR
- Implement transparency, data minimization, and fairness in moderation, recommender systems, and advertising
- Offer non-profiling options and protect minor users from targeted advertising
- Conduct DPIAs where systemic or high-risk data processing is involved
- Be prepared for cross-authority oversight and integrated enforcement actions
Next Steps
The EDPB Guidelines 3/2025 on the interplay between the DSA and GDPR are currently open for public consultation. Stakeholders can submit comments until 31 October 2025 using the form provided by the European Data Protection Board.
Further work is ongoing to clarify how EU data protection law interacts with other digital regulations. The EDPB has announced that it as preparing joint guidelines with the European Commission on the GDPR interplay with the Digital Markets Act (DMA) and the AI Act, aiming to ensure coherent application of data protection principles across the evolving regulatory landscape.
📌 Frequently Asked Questions
Does the DSA override the GDPR?
No. The DSA does not derogate from the GDPR. Both apply in parallel, and GDPR standards remain fully enforceable.
What profiling is prohibited under the DSA?
Ads and recommender systems must not rely on special categories of personal data or target known minors using profiling.
Can platforms use automated decisions to remove content?
Yes, but if those decisions significantly affect users, GDPR Article 22 applies, requiring transparency and, in some cases, human intervention.
What is required for age assurance under the DSA?
Providers must avoid intrusive methods and adopt risk-based, data-minimizing approaches that do not involve exact age storage.
Are the EDPB guidelines final?
No. The Guidelines 3/2025 are currently in draft form and open for public consultation until 31 October 2025. Final adoption will follow after stakeholder feedback is reviewed.