Navigating the Interplay Between the DSA and GDPR: Insights from EDPB Guidelines

The evolving landscape of data protection law has prompted organizations to reassess their compliance frameworks in light of new regulations. The European Data Protection Board (EDPB) recently provided crucial guidelines addressing the interplay between the General Data Protection Regulation (GDPR) and the Digital Services Act (DSA), which governs online intermediaries and platforms. Understanding these guidelines is essential for businesses involved in digital services and online platforms.

What’s New?

On September 12, 2025, the EDPB issued draft guidelines aimed at aiding companies in navigating the complex relationship between the DSA and GDPR. These guidelines are currently open for consultation until October 31, 2025. They emphasize that while fulfilling DSA obligations, organizations will inevitably engage in processing personal data, thereby requiring compliance with GDPR. This can lead to challenges since obligations from both regulations may overlap, creating areas of tension.

Key Highlights

1. Identifying Illegal Content: The guidelines clarify that service providers must establish mechanisms for identifying illegal content while ensuring compliance with GDPR during this process.
2. Personalized Advertisements: Companies need to align their transparency requirements regarding advertisements with both DSA and GDPR mandates.
3. Recommendation Algorithms: The EDPB highlights the need to protect minors and conform to risk assessments required under both regulations.

Investigating Illegal Content and Implementing Notice Mechanisms

A pivotal aspect of the DSA is the provision of a “safe harbour” for service providers, allowing them immunity from liability for content under certain conditions. Notably, Article 7 of the DSA states that service providers can proactively investigate illegal content without forfeiting their safe harbour protection.

However, compliance necessitates handling personal data—so how does this interplay look in practice?

Legal Basis for Processing

Companies may struggle to find a legal basis for processing personal data in this context. Since Article 7 investigations are voluntary, the standard GDPR “legal obligation” basis may not apply. Instead, companies are often required to document their use of the “legitimate interests” legal basis through a well-crafted "legitimate interest assessment."

Automated Decisions and Transparency

Utilizing automated tools for content moderation can trigger GDPR obligations concerning automated decisions. This necessitates careful management of personal data to ensure that companies adhere to requirements prohibiting the use of special category data and mandate transparency in decision-making processes. Importantly, companies must also provide human oversight as part of their DSA obligations.

Data Minimization and Transparency

The principle of data minimization is crucial—companies should restrict personal data processing to what is strictly necessary. For instance, the "notice and action" mechanism shouldn’t demand excessive personal information from users reporting illegal content.

In terms of transparency, companies are obligated to disclose how personal data is processed in the context of illegal content detection through their privacy notices. This transparency is reinforced by DSA’s requirements concerning content moderation.

Processing of Personal Data in Advertising

The guidance emphasizes the need for clear communication with users regarding advertising practices. DSA Article 26 requires that companies provide meaningful insights about the parameters determining advertisement recipients. Businesses must reconcile these requirements with GDPR consent requests to maintain informed user engagement.

This underscores the critical nature of consistent transparency disclosures over time as advertising practices evolve. Attention to detail in how information is presented can prevent potential compliance pitfalls.

Recommender Systems, Dark Patterns, Protection of Minors, Risk Management

The interplay extends to recommender systems and protections for minors, reflecting GDPR’s stringent standards for children’s data. The EDPB emphasizes the necessity for companies to ensure that documentation detailing DSA compliance is harmonious with GDPR obligations.

This aspect is particularly relevant when considering automated decision-making practices, which require thorough documentation to safeguard users’ rights and freedoms.

Risk Assessments

Developing comprehensive risk management strategies is crucial. The guidelines suggest that organizations should align their DSA compliance documentation with existing GDPR frameworks, ensuring consistency and readiness for regulatory scrutiny.

Actions to Take

For organizations impacted by the DSA, a thorough review of their current compliance frameworks against the EDPB guidelines is essential. Conducting periodic benchmarking ensures that DSA documentation is in line with GDPR requirements.

Additionally, engaging with the public consultation surrounding these draft guidelines could enhance an organization’s adaptability and foresight. However, industry feedback may not be warmly received by the EDPB.

The EDPB’s guidelines signal a vital step forward in harmonizing GDPR and DSA compliance efforts, inviting businesses to adapt swiftly and effectively in a complex regulatory environment.