Legal Alert | EDPB issues Guidelines on the interplay between the DSA and the GDPR

Background

On 11 September 2025, the European Data Protection Board (EDPB) adopted ​Guidelines 3/2025​ on the interplay between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR).

The Guidelines clarify how intermediary service providers must interpret and apply the GDPR when complying with DSA obligations, ensuring that both frameworks are applied consistently and without lowering the level of protection guaranteed to individuals.

Key provisions clarified by the Guidelines

The Guidelines explain how the GDPR applies to organisations when implementing obligations under the DSA. In practical terms, this means that, whenever DSA obligations involve the processing of personal data, service providers must consider both frameworks together.

• The EDPB confirms that when taking voluntary steps to detect and remove illegal content, an appropriate GDPR legal basis is required from platforms, such as legitimate interests or a legal obligation.
• Notice-and-action mechanisms are another area of focus. Platforms should not require unnecessary personal details from notifiers, and where a notifier’s identity is transmitted to another user, GDPR transparency rules apply. In addition, complaints cannot be handled solely by algorithms and meaningful human review is required.
• The Guidelines also adopt a firm position on dark patterns, making clear that interface designs which mislead or pressure users into disclosing personal data are not compatible with the principles of fairness and transparency under the GDPR.
• Advertising obligations are also reinforced. Transparency requirements apply both at the point of data collection (under the GDPR) and when an ad is displayed (under the DSA). The use of special categories of data for targeting is strictly prohibited, and profiling-based advertising directed at minors is expressly banned.
• Recommender systems are subject to heightened scrutiny. Where personalization qualifies as automated decision-making, the safeguards of Article 22 of the GDPR apply. Providers must offer a genuine and equally accessible non-profiling option, avoiding any presentation that suggests it to be inferior. Once selected, the non-profiling choice requires that all profiling ceases in full.
• With regard to child protection, the Guidelines acknowledge that protective measures may provide a GDPR legal basis, but only where they are necessary and proportionate. Intrusive methods, such as permanent age verification or the retention of identity documents, are inconsistent with the principle of data minimisation.

Finally, the Guidelines highlight the importance of cooperation between Digital Services Coordinators, the European Commission, and Data Protection Authorities. Coordinated enforcement is essential to ensure consistency across regimes and to respect the principle of ne bis in idem (no double sanctioning for the same conduct).

Recommended Actions and Next Steps

The EDPB’s message is simple: DSA compliance must always respect GDPR standards. To prepare, businesses, especially online platforms and search engines, should review their compliance programmes now, to ensure the following:

1. Check where DSA duties involve personal data processing, for example in content moderation, ads, recommender systems, child protection, and identify overlaps;
2. Document the legal basis for each personal data processing activity and purposes, carry out DPIAs where profiling, advertising or systemic risks are involved;
3. Review design and systems to remove any dark patterns, to ensure recommender systems offer a clear and equal non-profiling option;
4. Apply proportionate safeguards for minors and avoid intrusive or permanent age checks;
5. Expect oversight from both Digital Services Coordinators and Data Protection Authorities.

Morais Leitão’s ​Data Protection​ and ​Technology​ teams will continue to monitor these developments. Contact us for further information.