On September 11, 2025, the European Data Protection Board (EDPB) adopted guidelines on the interplay between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR).
While the GDPR needs no introduction, the DSA is a fairly new European Union (EU) regulation that sets out obligations for providers of digital services – including online marketplaces – acting as intermediaries that connect consumers with goods, services, and content. The DSA is designed to foster safer online environments, combat illegal content, enhance transparency for users, and strengthen protections for children.
The guidelines aim to support consistent interpretation and application of both the DSA and GDPR, particularly where the DSA intersects with personal data processing by providers. They focus on specific DSA provisions that significantly overlap with GDPR requirements.
Here are five key takeaways from the guidelines that providers and recipients of intermediary services under the DSA should keep in mind.
1. Providers must demonstrate they have a lawful basis for processing personal data
According to the guidelines, providers will generally be considered data controllers when processing personal data under the DSA. They must identify a valid legal basis for collecting, using, or processing personal data. For certain DSA provisions, the guidelines propose specific legal bases that providers may be able to rely on:
| DSA Provision | GDPR Legal Basis | GDPR Considerations |
|---|---|---|
| Article 7 - voluntary own-initiative investigations to remove illegal content |
Article 6(1)(f) Legitimate interests (especially when content can be disseminated via an online platform) |
Three cumulative conditions must be fulfilled to rely on the legitimate interest legal basis: (1) the interest pursued must be legitimate; (2) the processing of personal data must be necessary for the legitimate interest pursued; and (3) the interests or fundamental rights and freedoms of the data subjects affected by the data processing must not override the legitimate interest pursued by the controller:
|
| Article 7 - voluntary own-initiative investigations to comply with the requirements of EU or national law |
Article 6(1)(c) Compliance with a legal obligation |
|
| Article 16 -notice and action mechanisms | ||
| Article 17 - statement of reasons | ||
| Article 28 - online protection of minors | ||
2. Providers must consider the GDPR’s rules on automated decisions
The guidelines recognise that, at times, providers will be expected to use automated systems in their efforts to comply with DSA requirements. But under Article 22(1) of the GDPR, individuals have the right not to be subject to automated decision-making that has legal or similarly significant effects. So when providers implement automated processes to comply with their DSA requirements, must they also conduct an Article 22 GDPR analysis?
In short, yes. The guidelines state that when providers rely on automated processes under the DSA, they must consider Articles 22(2)–(4) GDPR. They must also ensure that they adhere to the Article 13 and Article 14 GDPR transparency obligations for the existence of automated decision-making or profiling activities.
For certain provisions of the DSA, the EDPB has set out cases in which automated decision-making and profiling may ‘significantly affect’ data subjects:
| DSA Provision | Automated Decision-Making That May 'Significantly Affect' Data Subjects | GDPR Considerations |
|---|---|---|
| Article 7 - voluntary own-initiative investigations and legal compliance |
Pre-emptively identifying and removing offending content from the platform |
|
| Article 16 & 17 - notice and action mechanisms and statement of reasons | Reviewing, responding to, and acting on notices received from individuals or entities involving potentially illegal content | |
| Article 26 - advertising on online platforms | Profiling an individual to present an advertisement |
Several characteristics of the personal data processing activity should be taken into account, including:
|
| Articles 27 and 38 - recommender systems |
Recommending online content if it 'significantly affects' an individual (e.g. recommender systems for housing or job offers) |
Particular attention should be paid to:
|
3. Providers must satisfy transparency obligations under both the DSA and the GDPR
Transparency is a core principle of both the DSA and GDPR, and both laws set out specific instances when a provider must share specific information with recipients of the service. Under the GDPR, this information must be shared with an individual either at the time personal data is collected (in cases of direct collection) or within one month after obtaining the personal data (in cases of indirect collection). This contrasts with new transparency obligations under the DSA. Providers must ensure that data subjects receive all notices required by both the DSA and GDPR.
| DSA Provision | Audience Receiving the Required Disclosure | Contents of the Disclosure | Time of Disclosure |
|---|---|---|---|
| Articles 16 and 17 - notice and action mechanisms and statement of reasons |
The individual or entity that provided notice of potentially illegal or violative content on the provider's platform | The provider's use, if any, of automated processes to review, respond to, or act on the notice. | Not specified, but the suggestion is that this information will be provided at the same time Article 13 GDPR information is provided to the data subject. |
| The user whose content has been reported to, reviewed, or removed by the provider | The provider's use, if any, of automated processes to review, respond to, or act on the notice. | Not specified, but the suggestion is that this information will be provided at the same time Article 13 GDPR information is provided to the data subject. | |
| A clear and specific statement of reasons for any decision to remove or disable access to the user's content (assuming the provider has a means of contacting the affected user. | When a decision to remove potentially illegal content has been taken by the provider. | ||
| Article 26 - advertising on online platforms | The viewer of the advertisement |
Whenever and advertisement is presented to an individual on the provider's online platform, a provider must ensure that the individual knows:
This information should be accessible directly from the advertisement itself, rather than available in a separate document or on a separate website page. |
In real time while the advertisement is presented. |
| Article 27 - recommender systems | All platform users |
Providers that use recommender systems must disclose:
|
Must be available in the platform's terms of service. |
4. Providers must think carefully about their use of special categories of personal data
The guidelines remind providers to process ‘sensitive’ or special categories of personal data only when an exception to the prohibition against such processing applies. Critically, Article 26(3) DSA forbids providers from processing special categories of data to present advertisements based on profiling, even when the GDPR might otherwise permit profiling (e.g. because the recipient of the service explicitly consented to the processing of its sensitive personal data).
5. Providers must ensure that they adhere to data minimisation principles when protecting minors
The guidelines reiterate that providers may only collect, use, and process personal data to comply with the DSA when it is necessary and proportionate to do so. For example, in the context of Article 28 DSA (the online protection of minors), the EDPB specifies that this DSA obligation alone cannot be used to justify age assurance mechanisms that require a user to unambiguously identify themselves – e.g. requiring a user to submit a copy of their government-issued ID.
If a provider believes that age assurance is necessary for its platform, it must take a risk-based approach when ensuring that minors cannot access the platform and present potentially adverse effects for all recipients of the service. This means that it must limit the processing of personal data to what is necessary and proportionate to estimate or verify recipients’ age (e.g. by using an age range rather than an exact date of birth).
Recommendations
Providers of online intermediary services subject to the DSA should review their data collection processes to ensure necessity and proportionality and identify and document appropriate legal bases for their activities. Ensuring transparency under both the DSA and GDPR will also be key, especially when using automated decision-making and profiling processes. Providers should review and update transparency notices as necessary. Complying with all DSA obligations at the same time as ensuring GDPR compliance will be a necessary challenge to protect against regulatory scrutiny.
Ransomware Fusion Center
Stay ahead of evolving ransomware threats with Alston & Bird's Ransomware Fusion Center. Our Privacy, Cyber & Data Strategy Team offers comprehensive resources and expert guidance to help your organization prepare for and respond to ransomware incidents. Visit Alston & Bird's Ransomware Fusion Center to learn more and access our tools.
If you have any questions, or would like additional information, please contact one of the attorneys on our Privacy, Cyber & Data Strategy team.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.