The European Data Protection Board (EDPB) has opened a public consultation on its draft Guidelines: edpb_guidelines_202503_interplay-dsa-gdpr_v1_en.pdf, which address how the EU Digital Services Act (DSA) and the General Data Protection Regulation (GDPR) should be applied consistently where there is overlap in provisions. The draft Guidelines explain (through a 38 page document of various scenarios and reference to existing guidelines and judgements) the lawful bases for processing personal data when detecting or removing illegal content and clarify transparency duties for recommender systems and advertising and also underscore the prohibition on targeted ads using special categories of data. The Guidelines further highlight the importance of cooperation between Digital Services Coordinators and data protection authorities to prevent regulatory inconsistencies. 

The DSA and GDPR

The EDPB notes that the DSA and the GDPR do pursue “different yet complementary objectives” with the aim of the DSA to complement the rules of the GDPR to ensure the highest level of protection of fundamental rights in the digital space.  

Several provisions included in the DSA detail the processing of personal data by intermediary service providers; the Guidelines contribute to the consistent application of the DSA and of the GDPR, insofar as some provisions of the DSA concern the processing of personal data by such intermediary service providers and include references to GDPR concepts and definitions. The Guidelines further advise: “Notice and action mechanisms and internal complaint-handling systems required by the DSA may also require the processing of personal data, notably since service providers must implement mechanisms for reporting illegal content. Hosting providers should only collect necessary personal data and the notification mechanism should allow, but not require, the identification of the notifier, unless identification is necessary for determining whether information constitutes illegal content.”

Another situation where regulated entities should pay attention to both the DSA and GDPR is when they restrict minors’ access to adult content. In those circumstances, the EDPB recommends that “providers of online platforms should in particular avoid age assurance mechanisms that enable unambiguous online identification of their users, and should not estimate or verify and permanently store the age or age range of the recipient of the service as a result of their age estimation process.”

While enforcement of the DSA falls under national authorities’ discretion, the EDPB’s input supports consistent application across the EU’s rapidly evolving digital regulatory framework, including in respect of:

• notice-and-action systems that help individuals or entities report illegal content;
• recommender systems used by online platforms to automatically present specific content to the users of the platform with a particular relative order or prominence;
• provisions to ensure minors’ privacy, safety, and security and prohibit profile-based advertising using their data are presented to them;
• transparency of advertising by online platforms; and
• prohibition of profiling-based advertising using special categories of data.

EDPB Chair Anu Talus said: “By clarifying the interplay between the DSA and the GDPR, these guidelines mark a significant step towards ensuring a coherent and effective EU digital rulebook, and they will help uphold the fundamental rights and freedoms of individuals. I hope that stakeholders, including the competent authorities under the DSA, will make the most of the opportunity to contribute to the public consultation".

What’s next?

The consultation on the Guidelines runs until 31 October 2025; comments can be submitted using the EDPB’s public consultation reply form. Following these first guidelines on the interplay between the GDPR and the DSA, the EDPB is also working on joint guidelines on the interplay between the Digital Markets Act (DMA) and the GDPR and the AI Act and EU data protection laws – we are monitoring this space.