What's the issue?
The EU's Digital Services Act (DSA) places obligations on online intermediaries and platforms to tackle illegal content, products and services, protect children online, and promote transparent advertising. In particular, it covers removal of illegal content, transparency, reporting, a partial ban on certain types of profile-based advertising, a ban on dark patterns, and risk management and crisis response, with the most onerous obligations applying to designated very large online platforms (VLOPs) and very large online search engines (VLOSEs).
Giving effect to some of the requirements under the DSA is likely to involve processing personal data and there is a clear tension between DSA and GDPR compliance, notwithstanding the fact that Article 2 DSA expressly states that the legislation is without prejudice to GDPR and that many clauses in the DSA explicitly reference the GDPR and terms and concepts it contains.
What's the development?
On 12 September 2025, the EDPB adopted guidelines on the interplay between the DSA and the GDPR for public consultation. The guidelines are intended to clarify how intermediary service providers should apply and interpret the GDPR when processing personal data in DSA contexts. They cover provisions of the DSA which relate to the GDPR including:
- Voluntary investigations and legal compliance relating to illegal content (Article 7): processing must be conducted lawfully, fairly and transparently. The most likely lawful basis for processing personal data in relation to non-automated, own-initiative investigations is legitimate interests. In addition to adhering generally to the data protection principles, in-scope service providers, particularly VLOPs and VLOSEs should take particular care to ensure accuracy and prevent negative impacts from wrong or inaccurate results of monitoring. It is also possible that Article 22(1) GDPR may be engaged. This prohibits processing for solely automated decisions with a legal or similarly significant effect unless Article 22(2) applies. A DPIA is likely to be needed where monitoring which processes personal data is to be used.
- Notice and action systems that help individuals or entities report illegal content (Articles 16-17, 20 and 23): only necessary personal data should be collected and a notification mechanism should allow for but not require the identity of the notifier (unless the information is necessary to determine whether the information is illegal content, in which case the notifier should be informed). Individuals should be given information about the use of their personal data in a privacy notice. Again GDPR requirements around automated processing (for example regarding suspension of accounts) must be complied with.
- Deceptive design patterns (Article 25): the EDPB looks at Article 25(2) which states that the prohibition on deceptive design patterns under the DSA does not apply to practices that are covered by the GDPR or the Unfair Commercial Practices Directive. The guidance looks at how to identify when deceptive design is covered by the GDPR giving the example of when a non-business user is manipulated into providing more personal data than they would otherwise have done.
- Recommender systems (Articles 27 and 38): the EDPB says recommender systems raise concerns about accuracy and transparency and combining personal data as well as around risks associated with large-scale or special category data processing. The EDPB notes that it is even possible that presenting specific content to a user via a recommender system could constitute a decision within the meaning of Article 22(1) GDPR. The EDPB also underlines that providers of online platforms are required under Article 38 DSA to provide at least one option for their recommender system which is not based on profiling. The EDPB says options should be presented equally and should not nudge users to select options for recommender systems based on profiling.
- Provisions relating to ensuring the privacy, safety and security of minors and prohibiting profile-based advertising being presented to them (Article 28): the EDPB recognises that Articles 28(1) and (2) can constitute a legal basis for processing personal data under Article 6(1)(c) GDPR provided the processing is necessary and proportionate (with no available less intrusive means of achieving the purpose) which is for the controller to demonstrate. The EDPB considers that providers of online platforms should avoid age assurance mechanisms that enable unambiguous identification of their users and should not permanently store the age or age range of the recipient of the service as a result of the age estimation or verification process.
- Transparency provisions for online advertising and prohibition of profile-based advertising using special category data (Article 26): the EDPB points out that whereas information provided under Article 26 DSA can be provided after processing of personal data may have occurred, transparency under the GDPR requires information about data processing to be given at the time the personal data is obtained (when directly from the data subject) and where consent is relied on, information has to be provided before consent is collected. The EDPB also notes that the prohibition on using special category data to target advertising applies even in situations where the controller has identified an Article 6 GDPR lawful basis and an Article 9 GDPR exception applies to the processing.
- Risk assessment and mitigation (Articles 34-35): appropriate implementation of data minimisation and data protection by design and default may contribute to addressing systemic risks. If systemic risks are identified, a DPIA is likely to be required before data processing relating to mitigation can take place.
- Codes of conduct for online advertising (Articles 45-47): the EDPB stresses the importance of clarifying the relationship between codes of conduct developed under the DSA and the GDPR, and of ensuring DPAs are involved in the former where appropriate.
The guidelines cover how the GDPR should be applied when complying with these elements of the DSA and also provide guidance on cross-border regulatory cooperation and enforcement along with some practical examples. They also cross-refer to other EDPB guidelines including on Age Assurance, Targeting of Social Media Users, and on Deceptive Design Patterns. They are open to comments until 31 October 2025.
What does this mean for you?
The guidelines are helpful for those caught by both the DSA and the GDPR. While it is easy to say that GDPR applies when processing personal data, it can be harder to understand how to give effect to both pieces of legislation in practice. The guidelines set out the distinction between instances when processing of personal data can be justified under the lawful basis of having to comply with a legal requirement, and when a lawful basis is needed, whatever the requirements of the DSA. Possibly the main lesson is that the DSA does not override the GDPR. As with all GDPR compliance, the principles are key – lawful, fair and transparent processing, data minimisation, data protection by design and default, and data retention in particular. Rules around profiling will also be particularly significant but essentially, it's full steam ahead on GDPR compliance.
The guidelines are also of interest to services caught by the UK's Online Safety Act and in relation to elements of the Digital Markets Competition and Consumers Act, given the overlap of issues and the similarity of the UK GDPR to its parent EU legislation.
