EDPB Issues First Guidelines on Interplay Between the DSA & GDPR

Key Takeaways

• First Guidelines on DSA-GDPR Interplay: The EDPB issued its first guidance clarifying how the GDPR applies to obligations under the Digital Services Act (DSA).
• Focus Areas Identified: The guidelines address notice-and-action mechanisms, recommender systems, advertising transparency, deceptive design patterns, protection of minors, and systemic risk management.
• Reinforcing User Rights: Provisions prohibit profiling-based ads targeting minors and restrict the use of sensitive categories of data for advertising, aligning with GDPR safeguards.
• Cross-Regulatory Cooperation: The EDPB stressed the need for coordination between Digital Services Coordinators, the European Commission, and data protection authorities to avoid inconsistencies.
• Next Steps in Digital Governance: Public consultation will open, and further guidance is planned on the interplay between GDPR, the Digital Markets Act (DMA), and the AI Act.

Deep Dive

The European Data Protection Board (EDPB) has adopted its first set of guidelines clarifying how the EU’s General Data Protection Regulation (GDPR) aligns with obligations under the Digital Services Act (DSA). The move marks a significant step in creating a coherent digital rulebook across the European Union.

The DSA, which applies to online intermediary services such as platforms and search engines, is designed to complement the GDPR by safeguarding fundamental rights in the digital environment. The EDPB’s new guidelines address situations where provisions of the DSA require the processing of personal data, offering clarity on how GDPR principles and definitions apply.

“These guidelines mark a significant step towards ensuring a coherent and effective EU digital rulebook, and they will help uphold the fundamental rights and freedoms of individuals,” said EDPB Chair Anu Talus, encouraging stakeholders to contribute during the forthcoming public consultation.

The guidelines highlight specific provisions of the DSA that overlap with the GDPR framework:

• Notice-and-action systems: Mechanisms that allow users to report illegal content may involve processing personal data. Hosting providers are reminded to collect only necessary information and to inform notifiers if their identity is disclosed.
• Recommender systems: Platforms that personalize content through profiling must provide users with genuine alternatives, without nudging them toward profiling-based options. In some cases, such recommendations may qualify as “decisions” under Article 22 GDPR.
• Protection of minors: The DSA prohibits profiling-based advertising directed at children. The EDPB stresses that age assurance mechanisms must avoid intrusive identification methods.
• Advertising transparency: Under the DSA, platforms must clearly label ads and are prohibited from using sensitive categories of data for targeted advertising, reinforcing existing GDPR protections.
• Deceptive design patterns: The EDPB outlines when manipulative interfaces may fall within GDPR scope, especially where they influence users’ behavior in connection with personal data processing.
• Systemic risk management: Very large platforms and search engines must mitigate risks such as illegal content dissemination and threats to fundamental rights, aligning with GDPR requirements on data protection by design.

The guidelines also emphasize the importance of cooperation across regulatory bodies, noting that Digital Services Coordinators, the European Commission, and data protection authorities must work together to avoid inconsistencies and ensure legal certainty for service providers.

By clarifying where the DSA intersects with the GDPR, the EDPB aims to strengthen enforcement coherence while giving intermediary services clearer guidance on compliance obligations.

The EDPB confirmed further work is underway on similar cross-regulatory guidance. Joint guidelines with the European Commission are expected on the interplay between the GDPR and both the Digital Markets Act (DMA) and the AI Act, as Europe continues to shape its digital governance framework.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.