Navigating the Digital Crossroads: EDPB's Groundbreaking Guidelines on DSA-GDPR Interplay

Compliance Hub

Compliance Hub

5 min read
Navigating the Digital Crossroads: EDPB's Groundbreaking Guidelines on DSA-GDPR Interplay
Photo by Abby Moulton / Unsplash

Executive Overview: A New Era of Digital Compliance

The European Data Protection Board (EDPB) has released its first comprehensive guidelines (Guidelines 3/2025) on the complex interplay between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR). This landmark guidance, adopted on September 11, 2025, represents a crucial development for digital platforms navigating Europe's increasingly intricate regulatory landscape.

For compliance professionals, these guidelines aren't just another regulatory document—they're a roadmap for understanding how two of the EU's most significant digital regulations intersect, overlap, and sometimes collide.

dsagdpr
dsagdpr.pdf
683 KB
download-circle

The Compliance Challenge: Why This Matters Now

The Regulatory Convergence

The DSA and GDPR pursue different yet complementary objectives:

  • GDPR: Protects individuals regarding personal data processing
  • DSA: Creates a safer online environment for all users, tackling illegal content and systemic risks

However, virtually every DSA obligation involves some form of personal data processing, creating a complex compliance matrix that platforms must navigate carefully.

The Stakes Are Higher Than Ever

Consider the enforcement landscape:

  • GDPR fines: Up to 4% of global annual turnover
  • DSA fines: Up to 6% of global annual turnover
  • Combined risk: Potential for double jeopardy if compliance frameworks aren't properly aligned

Recent enforcement actions against major platforms like X (formerly Twitter) demonstrate that EU regulators are serious about DSA enforcement, with investigations already underway and substantial fines on the horizon.

Key Compliance Areas: Where DSA Meets GDPR

1. Content Moderation and Automated Detection (Article 7 DSA)

The Challenge: Platforms conducting voluntary investigations to detect illegal content must balance DSA safe harbors with GDPR requirements.

Critical Compliance Points:

  • Legal basis complexity: While DSA permits voluntary detection efforts, GDPR requires a valid legal basis—typically legitimate interests under Article 6(1)(f)
  • Automated decision-making risks: Content removal decisions may trigger Article 22 GDPR if they significantly affect users
  • Data minimization imperative: Detection systems must process only necessary personal data

Practical Implementation:

Risk Assessment Checklist:
✓ Document legitimate interest assessment
✓ Implement human review for significant decisions
✓ Ensure transparency about automated systems
✓ Conduct mandatory DPIAs for high-risk processing
✓ Minimize data collection to detection purposes only

2. Notice and Action Mechanisms (Articles 16-17 DSA)

The Challenge: Implementing reporting systems while protecting all parties' personal data.

Key Requirements:

  • Enable but don't require notifier identification (except when necessary to determine illegality)
  • Limit data collection to name and email address for notifiers
  • Protect notifier identity unless disclosure is necessary and proportionate
  • Avoid automated decisions on special category data

Compliance Trap to Avoid: Collecting excessive personal data from notifiers "just in case" violates data minimization principles.

3. Advertising Transparency and Profiling Prohibitions (Article 26 DSA)

The Absolute Prohibition: DSA categorically bans presenting ads based on profiling using special categories of data—even with valid GDPR consent.

Critical Distinctions:

  • DSA transparency requirements apply in real-time, alongside ads
  • GDPR transparency must occur when data is collected
  • The DSA prohibition overrides any GDPR derogations for special category data

Example Scenario: A platform cannot use inferred religious beliefs from geolocation data (visiting places of worship) for ad targeting, even with explicit consent.

4. Recommender Systems (Articles 27 & 38 DSA)

The Challenge: Personalizing content while respecting user autonomy and data protection.

Compliance Requirements for VLOPs/VLOSEs:

  • Must offer at least one non-profiling option
  • Cannot nudge users toward profiling-based recommendations
  • Must present options equally on first use
  • Cannot continue profiling when non-profiling option is active

Data Protection Impact: Recommender decisions may constitute automated decision-making under Article 22 GDPR when they:

  • Significantly affect user behavior or choices
  • Have prolonged or permanent impact
  • Could lead to exclusion or discrimination

5. Protection of Minors (Article 28 DSA)

The Balancing Act: Ensuring minor safety without excessive data processing.

Key Principles:

  • No obligation to process additional data to verify age
  • Avoid identification-based age assurance mechanisms
  • Don't permanently store age or age range data
  • Implement risk-based, proportionate measures

Best Practice: Use privacy-preserving technologies like zero-knowledge proofs rather than government ID verification.

Systemic Risk Management: The VLOP/VLOSE Challenge

Risk Assessment Requirements (Articles 34-35 DSA)

For Very Large Online Platforms and Search Engines, the compliance burden intensifies:

Mandatory Assessments Include:

  • Dissemination of illegal content
  • Impact on fundamental rights (including data protection)
  • Effects on civic discourse and elections
  • Risks to vulnerable groups, especially minors

Data Protection Intersection: When systemic risks affect data protection rights:

  • DPIA under Article 35 GDPR becomes mandatory
  • Data minimization measures can mitigate DSA risks
  • Privacy by design principles support DSA compliance

Governance and Enforcement: The Cooperation Imperative

The Regulatory Architecture

Key Players:

  • Digital Services Coordinators (DSCs): National DSA enforcement
  • Data Protection Authorities (DPAs): GDPR enforcement
  • European Commission: VLOP/VLOSE supervision
  • European Board for Digital Services (EBDS): DSA coordination

The Principle of Sincere Cooperation

Despite no explicit DSA requirement, the EDPB emphasizes that authorities must cooperate based on EU law principles:

  • DSCs must consult DPAs when DSA enforcement affects personal data
  • DPAs must engage with DSCs when GDPR enforcement intersects with DSA obligations
  • Failure to coordinate risks regulatory inconsistencies and potential ne bis in idem violations

Practical Compliance Strategies

1. Integrated Compliance Framework

Build Once, Comply Twice:

  • Map all DSA obligations to corresponding GDPR requirements
  • Create unified policies addressing both frameworks
  • Implement technical measures satisfying both regulations
  • Document compliance with both sets of requirements

2. Documentation and Accountability

Essential Documentation:

  • Legitimate interest assessments for content moderation
  • DPIAs for systemic risk mitigation measures
  • Transparency reports addressing both DSA and GDPR requirements
  • Cross-functional compliance matrices

3. Technical Implementation

Privacy-Preserving Solutions:

  • Implement differential privacy for analytics
  • Use homomorphic encryption for sensitive processing
  • Deploy federated learning for ML models
  • Adopt privacy-preserving age assurance methods

4. Organizational Measures

Governance Structure:

  • Establish cross-functional compliance teams
  • Create clear escalation paths for DSA-GDPR conflicts
  • Implement regular training on both frameworks
  • Maintain dialogue with both DSCs and DPAs

Looking Ahead: The Evolution of Digital Compliance

Immediate Actions for Compliance Teams

  1. Gap Analysis: Review current DSA compliance measures against GDPR requirements
  2. Risk Assessment: Identify areas where DSA and GDPR obligations intersect
  3. Policy Updates: Revise privacy policies and terms to address both frameworks
  4. Technical Audits: Ensure systems comply with both regulations' requirements
  5. Training Programs: Educate teams on the interplay between regulations

Future Developments to Monitor

  • Public Consultation: Comments on the guidelines are open until October 31, 2025
  • Enforcement Trends: Watch early DSA enforcement actions for precedents
  • Additional Guidance: EDPB working on DMA-GDPR and AI Act-GDPR guidelines
  • Code of Conduct Development: Industry-specific guidance under Article 45 DSA

Key Takeaways for Compliance Professionals

  1. No Hierarchy: Neither DSA nor GDPR takes precedence—both must be satisfied simultaneously
  2. Higher Standards Win: Where requirements differ, the more restrictive standard applies
  3. Documentation is Critical: Demonstrate compliance with both frameworks through comprehensive documentation
  4. Cooperation is Mandatory: Engage proactively with both DSCs and DPAs
  5. Privacy by Design: Technical measures supporting GDPR often satisfy DSA requirements

Conclusion: Navigating the New Normal

The EDPB's guidelines represent more than regulatory clarification—they establish a new paradigm for digital platform compliance in Europe. Organizations must move beyond siloed compliance approaches and embrace integrated frameworks that satisfy both DSA and GDPR requirements simultaneously.

The message is clear: in the EU's digital single market, platform safety and data protection are not separate concerns but interconnected obligations requiring holistic compliance strategies. Success will belong to organizations that view this complexity not as a burden but as an opportunity to build trust through comprehensive user protection.

For compliance teams, the path forward requires careful navigation, robust documentation, and proactive engagement with regulators. The guidelines provide the map—now it's time to chart the course.

This analysis is based on the EDPB Guidelines 3/2025 adopted on September 11, 2025, currently open for public consultation until October 31, 2025. Organizations should monitor the final version for any amendments and adjust their compliance strategies accordingly.

Additional Resources

About Compliance Implementation

For organizations seeking to implement these guidelines, consider:

  • Conducting comprehensive compliance audits
  • Engaging specialized legal counsel familiar with both frameworks
  • Investing in privacy-enhancing technologies
  • Building strong relationships with regulatory authorities
  • Participating in industry codes of conduct development

Note: This article provides general guidance based on publicly available information and should not be considered legal advice. Organizations should consult with qualified legal counsel for specific compliance requirements.

Read more

The End of RMF: Understanding the DoD's Revolutionary Cyber Security Risk Management Construct (CSRMC)

The End of RMF: Understanding the DoD's Revolutionary Cyber Security Risk Management Construct (CSRMC)

Executive Summary The U.S. Department of Defense has officially unveiled the Cyber Security Risk Management Construct (CSRMC), marking the most significant transformation in federal cybersecurity compliance in over a decade. This revolutionary framework replaces the Risk Management Framework (RMF) with a streamlined five-phase approach designed to deliver "real-time

By Compliance Hub
Generate Policy Global Compliance Map Policy Quest Secure Checklists Cyber Templates