EDPB clarifies interplay between the Digital Services Act and the GDPR

The question

How do the obligations under the Digital Services Act (DSA) interact with the requirements of the EU General Data Protection Regulation (GDPR), and what practical implications does this interplay have for online platforms and other digital service providers operating in the EU?

The key takeaway

The European Data Protection Board (EDPB) Guidelines 3/2025 clarify that compliance with the DSA does not exempt organisations from fulfilling their GDPR obligations. Where the DSA obligations require processing of personal data (eg identifying traders, publishing contact details, or maintaining transparency logs), such processing must always be compatible with the GDPR’s principles, in particular the principles of lawfulness, fairness, transparency, purpose limitation, and data minimisation.

The background

The DSA (Regulation (EU) 2022/2065) came into force on 16 November 2022 and introduced new rules for online platforms, including transparency obligations, with one of its main aims being to keep users of these platforms safe from fraudulent/illegal content and activities.

Obligations under the DSA include:

• disclosing why a user is seeing an advertisement
• disclosing information on how very large online platforms’ “recommender systems” manage content visibility and ranking, and
• reporting surrounding moderation practices and related risks.

  The GDPR is the EU’s primary data protection framework, setting strict requirements for any processing of personal data. The co-existence of the DSA and the GDPR has raised questions about how organisations should reconcile potentially overlapping or conflicting obligations.

The development

The EDPB Guidelines 3/2025 provide detailed analysis on the interplay between the DSA and GDPR. Key points include:

• the DSA generally does not remove GDPR obligations; where DSA provisions require processing, controllers must identify a legal basis under the GDPR and in limited, demonstrable circumstances certain DSA obligations (eg Articles 28(1)–(2)) may themselves qualify as a legal obligation under Article 6(1)(c) GDPR, provided that processing is necessary and proportionate. Organisations must identify a valid legal basis for each processing activity required by the DSA
• where the DSA requires transparency or disclosure of information, such requirements must be interpreted in light of the principles under the GDPR, ensuring that only necessary personal data is processed and disclosed
• the guidelines highlight specific DSA obligations (eg user notifications, reporting illegal content, risk assessments) and explain how these must be implemented in a GDPR-compliant manner
• the EDPB emphasises that data subjects’ rights under the GDPR (such as access, erasure, and objection) remain fully applicable, even where processing is mandated by the DSA.

Why is this important?

The guidelines address a critical area of uncertainty for digital service providers, ensuring that the implementation of the DSA does not inadvertently lead to breaches of data protection law. Core DSA obligations include: disclosing why a user is seeing a specific advertisement; explaining how very large online platforms’ recommender systems determine content visibility; and publishing information on content moderation, risk management, and compliance measures.

Organisations must carefully assess each DSA-related processing activity to avoid unlawful or excessive data use, which could result in regulatory action under either regime. The guidance also supports harmonisation and helps to provide legal certainty across the EU digital market.

Any practical tips?

Organisations should consider:

• reviewing all DSA-related processing activities to ensure a valid GDPR legal basis is identified and documented
• making sure they consider, and apply, relevant principles under the GDPR such as data minimisation and purpose limitation when fulfilling obligations under the DSA
• update privacy notices to reflect any new processing activities arising from DSA compliance
• train staff on the requirements under both the DSA and GDPR, emphasising areas where obligations overlap, and
• monitor future EDPB guidance and regulatory developments to stay up to date with best practice.

Autumn 2025