EDPB Issues First Guidelines on the Interplay Between the Digital Services Act and the GDPR | Wilson Sonsini Goodrich & Rosati
On September 12, 2025, the European Data Protection Board (EDPB) adopted guidelines (Guidelines) on the interplay between the EU Digital Services Act (DSA) and the General Data Protection Regulation (GDPR). The Guidelines seek to clarify the data protection issues that regulated online services should take into account when seeking to comply with their obligations under the GDPR.
Why Are the Guidelines Significant?
The DSA, which applies to online services such as platforms and search engines, introduces rules to create a safer digital environment and to protect users’ fundamental rights. Compliance with many of the DSA’s provisions necessarily involves the processing of personal data. The Guidelines note that in view of the differing objectives pursued by these two significant pieces of legislation, there is a need for cooperation between Digital Services Coordinators, the European Commission, and data protection authorities (DPAs), with the overall goals of providing greater legal certainty for regulated services and enhancing the protection of users’ rights.
The Guidelines are now open for public consultation until October 31, 2025, offering stakeholders an opportunity to provide comments and feedback before finalization.
Key Takeaways
- Intermediary services
- Proactive Content Investigation and Moderation. The DSA provides regulated services with safe harbors against liability for hosting illegal content provided that they do not have knowledge of its presence on their service. However, services can undertake some own-initiative investigations without losing the benefit of these safe harbors. Where such efforts involve the processing of personal data, the EDPB notes that serious risks for transparency and data accuracy can arise, particularly where machine learning models and other automated tools are used, and that “legitimate interests” is most likely to be the appropriate legal basis for associated processing under the GDPR. The Guidelines also caution that voluntary own-initiative investigations may amount to automated decision-making (ADM) under the GDPR, especially if content removal or account suspension is based solely on algorithmic outputs without meaningful human review. The EDPB stresses the importance of transparency: providers must inform users about the logic and consequences of automated systems to detect illegal content, disclose error rates, and issue clear statements of reasons for removal decisions.
- Online Platforms
- Dark Patterns Face Dual Regulation. According to the EDPB, deceptive design patterns will fall under the GDPR where they manipulate users into disclosing or sharing personal data. This may include addictive design patterns such as infinite scroll, autoplay, gamification, or countdown timers which may involve or generate personal data. The EDPB considers such practices generally raise issues under GDPR because they violate the principles of fair, lawful, and transparent processing.
- Advertising Transparency. The EDPB notes that ad targeting may qualify as ADM under the GDPR where it significantly affects individuals, for example by influencing user behavior. Factors that could trigger ADM under the GDPR include the intrusiveness of the profiling, cross-site and cross-device tracking, users’ expectations, how the ad is delivered, and whether vulnerabilities are being exploited—for instance situations where targeting takes place based on a person’s age, economic situation, or emotional state. Profiling for advertising purposes using special categories of data is prohibited under the DSA, even if such processing may otherwise be permitted under the EU GDPR. The EDPB notes that the DSA’s advertising transparency requirements are distinct from, and may require a different approach to, the GDPR’s transparency requirements.
- Recommender Systems. Recommender systems increasingly rely on behavioral analysis for prediction purposes, which may amount to a profiling activity under the GDPR. The EDPB states that the use of recommender systems may give rise to risks for individuals, for example if they are not accurate, or information about the use of personal data for evaluation and profiling is not provided. These issues may disproportionately impact vulnerable data subjects, such as minors or elderly people. When recommender systems are used to propose content, services and products that significantly affect users—such as housing or job offers—they may be subject to the rules on profiling and ADM. As regards users’ choice regarding the recommendation parameters used, the EDPB recalls that Very Large Online Platforms and Search Engines (VLOPs/VLOSEs) should not i) nudge users in favor of profiling-based recommendation, ii) use such recommendation before the users’ opt-in, and iii) collect personal data for the purposes of such future recommendations while the non-profiling option is active. The EDPB also stresses that providers should respect the purpose limitation when processing users’ choices of the parameters used in recommender systems, and thus use them solely to comply with the DSA.
- Protection of Minors and Age Assurance. The EDPB underlines that if providers process personal data for the purpose of protecting minors, for example during age assurance processes, they must comply with GDPR requirements—meaning they need a valid legal basis, must limit processing to what is strictly necessary to achieve the protective purpose, and ensure that the measures taken are not excessive compared to the risks they seek to address. Providers may have a lawful basis for processing data under the GDPR provided they can demonstrate, on a case-by-case basis, that age assurance is strictly necessary. The EDPB emphasizes that age checks should not require clear online identification, especially not through government IDs. Instead, providers should apply a risk-based approach, verifying only what is necessary (e.g., confirming an age range rather than an exact date of birth) and avoiding permanent storage of age data. It considers data minimization and data protection by design and by default as central principles, recommending that platforms merely record whether a user fulfils the service conditions. Where providers are designated VLOPs/VLOSEs, they must also assess whether features of their service may give rise to systemic risks for society and individuals, and adopt targeted protective measures to address these, such as parental control features, tools that allow minors to report abuse, and mechanisms that connect them with appropriate support resources. In this context, if there are only low risks for minors, it may be sufficient to ask for age confirmation.
- Cooperation Between Competent Regulators. The EDPB recalls that several obligations under the DSA affect the processing of personal data, which under the EU Charter must remain subject to control by independent DPAs. While EU Member States may designate regulators other than DPAs to enforce the DSA, the EDPB highlights that cooperation mechanisms must ensure DPAs are involved wherever personal data is concerned. The EDPB underlines that, even though the DSA does not explicitly require consultation with DPAs, the principle of sincere cooperation under EU law requires authorities enforcing the DSA to consult and cooperate with DPAs where GDPR compliance is at stake, and vice versa.
The DSA and GDPR are closely linked, especially where platforms process personal data in areas such as targeted advertising, recommender systems, or content moderation. The EDPB makes clear that companies cannot treat these frameworks separately: rules on transparency, profiling, minors’ protection, and automated decision-making overlap and must be applied consistently. To manage these expectations, legal, privacy, compliance, and trust & safety teams should work together to ensure a joined-up approach.
Aurore Troussel contributed to the preparation of this alert.
