Summary
On 12 September 2025, the European Data Protection Board (EDPB) published its draft Guidelines on the interplay between the DSA and the GDPR (the Draft Guidelines). The Draft Guidelines aim to clarify how intermediary service providers (ISPs) should interpret and apply the GDPR when processing personal data in the context of DSA requirements. The Draft Guidelines are currently open to submissions as part of a public consultation until 31 October 2025.
Some of the most notable proposed guidelines include the suggestions that:
- Hosting service providers should avoid making submissions via their Article 16 DSA notice and mechanisms contingent on a notifier providing their identity, except for certain limited circumstances where it is not possible to determine the alleged illegal content in the notice without it;
- All ISPs’ Article 7 DSA activities (i.e. voluntary or mandatory measures for the detection, identification, removal or disabling of access to illegal content), are likely to require a data protection impact assessment pursuant to Article 35 GDPR. The EDPB considers this to be even more likely for VLOPs due to their greater likelihood of meeting the large-scale processing criterion.
- Providers of online platforms should provide users / service recipients with any real-time advertising information specified in Articles 26(1)(a)-(d) DSA directly from the advertisement itself rather than via a “one click away” privacy policy.
Scope and General Principles
The Draft Guidelines do not address every DSA provision that imposes an obligation on ISPs. Instead, they focus on select DSA provisions whose interaction with the GDPR the EDPB considers particularly intensive, such as obligations in relation to the protection of minors and practices that involve automated processing of personal data.
The Draft Guidelines also clarify some general principles in respect of controller / processor distinctions, and enforcement and supervision:
- Traditional GDPR controller / processor definitions apply to ISPs when carrying out any DSA-related activities. All ISPs subject to the DSA are considered controllers where they determine the purposes and means of the processing of any personal data, and processors where they process data on behalf and under the instructions of a controller.
- ISPs may be supervised by national Digital Services Coordinators (DSCs) and the European Commission (EC) (for DSA compliance) and the relevant DPAs (for GDPR compliance) in respect of the activities described in the Draft Guidelines. ISPs will need to ensure compliance with both regimes in any overlapping activities. DSCs, the EC and DPAs are required to cooperate to ensure the obligations on ISPs are clear.
GDPR & DSA Liability Obligations applicable to all ISPs
| DSA Article | Draft EDPB Guidelines | |
| 7 (Voluntary own-intitative investigations) | Detecting, Identifying and Removing or Disabling Access to Illegal Content Voluntary measures to detect, identify, remove or disable access to illegal content may include the use of automated measures, such as machine learning tools, e.g. through keyword or text pattern matching. If ISPs train or deploy models for detecting illegal content, they will need to limit the processing of personal data for model training and deployment “insofar as possible”, and be able to demonstrate compliance with GDPR principles, (particularly data minimisation and data protection by design and default), where any personal data is processed. Where processing of personal data is necessary for identifying illegal content, the Draft Guidelines identify the following lawful bases as likely the most appropriate bases for controllers to rely on in certain circumstances: – Legitimate interest (Article 6(1)(f)): in the context of voluntary own-initiatives or measures to detect, identify, remove (or disable access to) illegal content. ISPs should be particularly mindful of whether the processing would be reasonably expected by data subjects and whether it concerns children. – Legal obligation (Article 6(1)(c)): where there are “targeted legal obligations under EU or Member State law” for ISPs to detect and address illegal content, i.e. where ISPs carry out processing in good faith to comply with the requirements of Union law and Member State law. Examples include identifying and taking down copyright-protected works, responding to Article 17 GDPR (RTBF) requests, or responding to DSA orders to act against illegal content or provide information. Automation If the processing of personal data for the detection and removal of illegal content involves automation, Article 22(1) GDPR will apply, i.e. the processing will be prohibited: (i) where there is no human involvement; (ii) if human involvement is not meaningful; or (iii) if a human “draws strongly” on the algorithmic recommendation generated by the system when deciding whether to remove the content. To avoid any processing prohibitions where Article 22(1) GDPR applies, ISPs will need to verify whether they can avail of any exceptions to this ban, that are set out under Article 22(2) GDPR. Transparency ISPs, when acting as data controllers, should ensure they are transparent towards data subjects in relation to any processing they may carry out for the purposes of Article 7 DSA. The level of transparency here should be commensurate with the GDPR standard for transparency at Articles 12-14 GDPR. If any of this processing is subject to Article 22(1) GDPR, ISPs may need to provide additional information on this processing in their terms and conditions and any annual transparency reports published pursuant to Article 15 DSA. Data Protection Impact Assessments (DPIAs) The EDPB anticipates that a DPIA will likely be required where processing for the purpose of Article 7 DSA involves evaluation or scoring, automated-decision making with legal or similar significant effects and systematic monitoring. It anticipates this to be additionally likely for VLOPs, due to their increased likelihood to meet the large-scale processing criterion. | |
GDPR & DSA Due Diligence Obligations Applicable to Hosting Service Providers
| DSA Article | Draft EDPB Guidelines | |
| 16 (Notice and action mechanisms) | Personal Data of Notifiers While ISPs need to implement “robust safeguards” to protect the personal data of all parties involved in their notice and mechanisms, the Draft Guidelines identify several considerations for notifiers (i.e. individuals who notify a provider of a hosting service about allegedly illegal content) in particular. To protect the personal data of notifiers, affected recipients of the service, and third parties, the Draft Guidelines suggest hosting service providers: – Limit requests for notifiers’ personal data in Article 16 notification forms to information required for compliance with Article 16(2) DSA; and – Avoid making the submission of an Article 16 notice contingent on a notifier providing their identity, (unless it is not possible to determine the alleged illegal content without it). Automation While the DSA permits hosting service providers to use automation to process or make decisions about notices they receive via their notice and action mechanisms on illegal or incompatible content, hosting service providers need to ensure that this processing does not constitute a prohibited type of automated decision-making as set out at Article 22 GDPR. If hosting service providers do use automation for processing or making decisions on Article 16 notices, they must disclose to notifiers the use of automated means for handling notices: (i) without undue delay, when informing a notifier of their decision in respect of the information to which the notice relates; and (ii) at the time the notifier’s personal data is obtained. This disclosure must also include “meaningful information” about the logic involved in this automated decision-making and any information specified in Article 17(3) DSA. Automated decisions made in the context of Article 16 DSA cannot be based on special categories of personal data, unless the public interest or explicit consent derogations apply. The Draft Guidelines do not provide any details on how hosting service providers can address this in scenarios where they do not intend to process special categories of personal data, but they are presented with it anyway, e.g. the notifier includes such personal data in the notice they submit to the hosting service provider’s Article 16 DSA mechanism. | |
| 17 (Statement of reasons) | Personal data of the notifier should only be included in the statement of reasons provided to affected recipients of the service “where it is strictly necessary to do so”. Hosting Service Providers should define the cases where it would be necessary and proportionate to reveal a notifier’s identity to affected recipients of the service. The Draft Guidelines do not provide examples beyond those already provided in Recital 54 DSA, i.e. cases of infringements of intellectual property rights. | |
GDPR & DSA Due Diligence Obligations Applicable to Providers of Online Platforms
| DSA Article | Draft EDPB Guidelines | |
| 20 (Internal complaint-handling system) | The Article 20 DSA internal complaints-handling mechanism operates without prejudice to any rights and remedies available to data subjects pursuant to the GDPR, where providers of online platforms act as controllers. | |
| 23 (Measures and protection against misuse) | Any suspension of users from the service should be carried out with safeguards in place for “respecting the rights and interests of all involved.” From a data protection perspective, this includes: – Avoiding the adoption of automated suspension decisions; – Minimising the possibility of suspension decisions being made on the basis of inaccurate personal data; – Ensuring providers of online platforms, when acting as data controllers, are transparent with data subjects regarding any processing of personal data they may carry out for the purposes of Article 23 DSA. The level of transparency here should be commensurate with the GDPR standard for transparency at Articles 12-14 GDPR; and – Retaining the personal data of the suspended recipient or complainant for the duration of the suspension period. | |
| 25 (Online interface design and organisation) | GDPR obligations in respect of deceptive design patterns are only triggered where: (i) personal data is being processed and (ii) the data subject’s behaviour that the pattern is influencing relates to the processing of personal data. DPAs must assess this on a case-by-case basis. | |
| 26 (Advertising on online platforms) | Providers of online platforms must disclose when information on their platforms is an advertisement, and whether profiling has been used to present a particular advertisement to users. As this information must be delivered to users in real time, it should be provided directly from the advertisement itself rather than via a “one click away” privacy policy. Use of special categories of personal data for advertising based on profiling is prohibited, even if a platform has a lawful basis under Article 6(1) GDPR and an appropriate derogation under Article 9(2) GDPR for this processing. Providers of online platforms should ensure that the presentation of information to users and their ability to change parameters does not permit intermediary services that connect publishers of advertisements with advertisers to access or collect any additional information about the recipient of the service. | |
| 27 (Recommender systems) | Although the Draft Guidelines recognise that not all recommender systems process personal data, where they do: – Providers of online platforms, where they act as data controllers, will need to ensure they rely on the most appropriate Article 6 GDPR lawful basis (and if special-category data is being processed, the relevant Article 9(2) derogation), though the Draft Guidelines are silent on what these bases might be); – Providers of online platforms, where they act as data controllers, shall include information on the personal data processed by recommender systems that they decide to embed in their services in their privacy notices and any other documentation they rely on to comply with their GDPR transparency requirements; – The collection and the processing of users’ choices related to the modification of recommender system parameters should be processed for the sole purpose of DSA compliance and stored only for the time necessary to achieve this; and – Providers of online platforms should not retain a history of users’ previous choices. | |
| 28 (Protection of minors) | Providers of online platforms should understand the risks their services may pose to minors, and when taking any measures to ensure a high level of minor privacy, safety and security under Article 28 DSA, ensure the processing of any personal data is necessary and proportionate. Providers of online platforms should avoid age assurance mechanisms that: – enable unambiguous identification of users (e.g. by asking them to submit proof of their identification via government-issued ID); – process special categories of data; or – permanently store age/age ranges obtained via estimation (recording whether the recipient of the service fulfils the condition(s) to use the service should be done instead). | |
GDPR & DSA Due Diligence Obligations Applicable to VLOPs and VLOSEs
| DSA Article | Draft EDPB Guidelines | |
| 34 and 35 (Risk assessment and mitigation) | Article 34 DSA risk assessments must include an assessment of risks to the fundamental right to protection of personal data, including the intentional manipulation of the service and the dissemination of illegal content. If any systemic risks are identified, a DPIA according to Article 35 GDPR is likely to be required. The list of risk mitigating measures set out at Article 35(1) DSA should be used when carrying out the DPIA. | |
| 38 (Additional recommender system obligations) | In addition to the obligations at Article 27: – Recommender systems must be deployed on an opt-in basis where processing personal data – providers of VLOPs and VLOSEs may only use a recommender system based on profiling after a user chooses this option. – If providing different options of recommender systems to users, providers of VLOPs and VLOSEs should present users with profiling and non-profiling options equally on first use of the service. – While the non-profiling based option is active, providers of VLOPs and VLOSEs cannot continue to collect and process personal data to profile the user, for the purposes of future recommendations, e.g. in case the user chooses a profiling-based recommender option in the future. | |
Next Steps
- Public consultation for submissions to the above Draft Guidelines are open until 31 October 2025.
- After the consultation period closes, the EDPB will issue a finalised version of the Draft Guidelines. A publication date for this has not been confirmed at the time of writing.
For further information, please contact Dr Stephen King, Partner, or Anna Nichols, Solicitor or your usual ALG Technology contact.