On 11 September 2025, the European Data Protection Board (EDPB) published new Guidelines clarifying how the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR) interact, with a focus on the processing of personal data by intermediary service providers under various DSA obligations.  The aim is to ensure both regulations are applied consistently, protecting individuals’ rights and providing legal certainty for intermediary service providers. 

Key principles

• The DSA and GDPR have different but complementary objectives: the GDPR protects personal data, while the DSA aims to create a safe, predictable, and trusted online environment. 
• The DSA does not override the GDPR; both laws must be applied in a compatible and coherent way. 
• The level of data protection under the GDPR must not be reduced by the application of the DSA. 

Main areas of interplay

The Guidelines identify several key areas where the DSA and GDPR intersect:

1. Detection and removal of illegal content (Article 7 DSA)

Intermediary service providers are encouraged to take voluntary action to detect and remove illegal content, which often involves processing personal data.  Such processing must comply with GDPR principles, and the legal basis will typically be “legitimate interests” or, if required by law, “legal obligation.”  Automated decisions in this context may also trigger additional GDPR safeguards. 

2. Notice and action mechanisms (Articles 16, 17, 20, 23 DSA)

When users report illegal content, hosting providers may process personal data of notifiers, affected users, and third parties.  Only necessary data should be collected, and notifiers’ identities should only be disclosed to affected users if strictly necessary. Automated processing must be transparent, and all complaint mechanisms must respect GDPR rights. 

3. Deceptive design patterns (Article 25 DSA)

Online platforms must avoid interface designs that mislead or manipulate users, especially regarding personal data.  If such patterns involve personal data, they are generally unlawful under the GDPR. 

4. Advertising transparency and profiling (Article 26 DSA)

Online platforms must provide real-time, clear information about why users see specific ads and how targeting parameters can be changed.  Special categories of data cannot be used for ad profiling, even with consent, and GDPR transparency and consent requirements still apply. 

5. Recommender systems (Articles 27, 38 DSA)

Online platforms must explain how content is recommended and allow users to adjust recommendation settings.  Very large online platforms must offer at least one non-profiling option, and all profiling must comply with GDPR transparency and data minimization requirements. 

6. Protection of minors (Article 28 DSA)

Online platforms accessible to minors must ensure a high level of privacy, safety, and security.  Profiling-based advertising is prohibited for users known to be minors, and any age assurance measures must be necessary, proportionate, and privacy-preserving. 

Finally, the Guidelines highlight the importance of close cooperation between Digital Services Coordinators, the European Commission, and Data Protection Authorities.  Such collaboration ensures consistent enforcement of both the DSA and GDPR and helps prevent intermediary service providers from facing double penalties for the same matter. 

Conclusion

The EDPB’s key message is clear: compliance with the DSA must always go hand in hand with upholding GDPR standards.  Businesses – especially online platforms and search engines – should take a proactive approach to ensure their operations meet both sets of requirements:

• Start by identifying where DSA obligations involve personal data processing, such as in content moderation, advertising, recommender systems, and the protection of minors.  
• Carefully document the legal basis and purpose for each processing activity and conduct data protection impact assessments (DPIAs) where activities such as scoring, automated decision-making with legal or similarly significant effects, or systematic monitoring are involved. 
• Review user interfaces and system designs to eliminate dark patterns and provide users with a clear, unbiased choice to opt out of profiling in recommender systems.  
• For services accessible to minors, implement safeguards that are effective yet minimally intrusive, and avoid unnecessary or permanent storage of age-related data. 

Incorporating these principles into compliance strategies helps businesses reduce regulatory risk, foster user trust, and clearly demonstrate their commitment to data protection in today’s rapidly changing digital environment. 

The guidelines are currently subject to public consultation, giving stakeholders the opportunity to provide feedback until 31 October 2025.