Layered Approach Needed For Compliance – EDPB Publishes Guidelines For DSA-governed Intermediaries Processing Personal Data

The recent trend in regulating the European Union's digital framework seems to revolve around the principle of accountability. This user-centric approach aims at creating a safe online environment for everyone through establishing certain mechanisms that prioritise awareness, control, protection for vulnerable persons and mitigation measures against harmful online practices.

Nonetheless, provisions serve a dual purpose: safeguarding the rights of natural persons and imposing stricter obligations on digital services providers. A critical point is found at the intersection between the rights of natural persons over their personal data and the rules applicable to providers of digital services, often acting as data controllers, especially due to how the relevant legal instruments must be applied in a coherent, coordinated manner.

The common objectives of the Digital Services Act ("DSA")¹ and the General Data Protection Regulation ("GDPR")² needed to be cohesively addressed. On 12 September 2025, the European Data Protection Board ("EDPB") published its Guidelines 3/2025 on the interplay between the DSA and the GDPR (the "Guidelines"). The document is currently in public consultation until October 31, 2025. As a principle, the Guidelines aim to address the interaction between the DSA and the GDPR, given that the DSA imposes certain rules involving the processing of personal data, but also for providing legal certainty for the intermediary service providers ("ISP").

Besides being an enforcement guide, the Guidelines are also a set of clarifications for the implementation of compliance measures by the ISPs. These mainly concern the following sets of provisions:

• Voluntary own-initiative investigations in relation to illegal content
• Notice-and-action mechanisms for reporting illegal content
• Recommender systems for personalisation of content
• Protection of minors against profile-based advertising
• Transparency of advertising
• Prohibition of profiling-based advertising
• Cross-regulatory cooperation between enforcement authorities

Herein, some of these topics will be analysed in order to assess the main advice of the EDPB.

Voluntary own-initiative investigations and legal compliance in relation to illegal content

The rules on voluntary own-initiative investigations in relation to illegal content are provided by Article 7 of the DSA, a provision which encourages ISPs to implement, on their own initiative, measures for detecting, identifying and removing or disabling access to illegal content or to comply with the requirements of Union law and national law. However, the DSA does not impose a general obligation to monitor or actively seek facts indicating illegal activity. Considering that the main techniques used by ISPs to undergo the process of self-initiated checks for illegal content on the platform are automated and revolve around using machine learning, EDPB raises the issue of personal data being processed both in the training and the employment phases, given that the system must filter through the uploaded content. Thus, in both moments, due to how activities under Article 7 of the DSA may fall under automated processing or profiling, GPDR compliance must be in focus, if processing personal data cannot be avoided entirely. Technologies used for voluntary detection pose risks related to fairness and data accuracy due to the systematic monitoring of data subjects' activities. Given the massive scale of users, especially on Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs), even small error rates can result in a high absolute number of errors and related negative consequences, such as reputational harm or restrictions on the freedom of expression related to lawful content.

EDPB thus concludes that processing under Article 7 of the DSA may trigger the requirement to conduct a Data Processing Impact Assessment ("DPIA"), since the processing may be deemed as raising significant risks, due to systematic monitoring and automated decision-making.

As for the voluntary actions undertaken by the ISPs under Article 7 of the DSA, EDPB identifies two possible scenarios, depending on the ISPs' measures' objectives:

• if the voluntary measures are intended to prevent illegal content, given that active monitoring is not required from ISPs, the most appropriate legal basis for processing shall consist of legitimate interest.
• on the other hand, if the voluntary measures implemented by the ISP involve data processing in view of compliance with requirements of the EU law or national law, such processing activities may be carried out pursuant to the legal basis of controller's legal obligation.

A caveat is made here, however. When an ISP processes personal data to comply with an order from a competent authority, such as an order to remove illegal content or disclose user information, it must first verify that the order meets the requirements of the DSA. This check ensures that the order itself is valid under the DSA framework, which in turn confirms that the ISP's processing of personal data is lawful under the GDPR. By doing so, the ISP can properly rely on the legal obligation basis as the justification for the data processing.

Notice and action mechanisms

EDPB analyses the "report" function of online platforms from the user's standpoint, specifically addressing the requirements applicable for providers of hosting services, including online platforms, that qualify as controllers. Personal data processing may concern in this case the identification data of the notifier and of the affected recipient of the service, when they are also individuals. Third parties may also be regarded by these systems, in so far as the content refers to their personal data.

Consequently, in addition to the need for safeguards around the name and the email address of the notifier, EDPB underlines compliance with the principle of data minimisation, so that the controller should not ask for other categories of data which are not identified by Article 16 para. (2) of the DSA. However, the submission of the report should not be dependent on the provision of personal data, and cases where this is necessary should be properly defined. Ultimately, the notifier should be informed if their data is shared with the recipient of the notification.

Similar conclusions are also drawn in relation to complaint mechanisms and measures and protection against misuse. While complaint mechanisms allow users to challenge decisions made by online platform providers (for example, a decision to suspend the user's account), measures against misuse enable ISPs to sanction users who frequently post manifestly illegal content or abuse the notice and complaints system. Online platform providers must ensure, however, that decisions on complaints are taken under the supervision of qualified staff, not solely by automated means. The safeguards established by the DSA are welcomed by the EDPB as they help in avoiding the adoption of automated decisions in such cases, emphasising that any decision on combating misuse must be taken "on a case-by-case basis".

Deceptive design patterns and advertising requirements

The DSA prohibition on deceptive patterns, intended to ensure users' autonomous and informed choices on online platforms, does not cover practices regulated by the GDPR or the Unfair Commercial Practices Directive³. Whether a deceptive design pattern is covered by the GDPR depends primarily on whether personal data is being processed and if the influenced user's behaviour relates to this processing. For instance, patterns manipulating a user into providing additional personal data are subject to the GDPR. EDPB recalls that use of deceptive design patterns covered by the GDPR is generally considered unlawful, as it violates the principle that personal data processing must take place lawfully, fairly, and transparently.

Building on this, EDPB further notes that, as regards advertising transparency, the two Regulations should be applicable in a complementary manner. This means that, for advertising purposes, the requirements set out by the DSA apply irrespective of the legal basis for the processing of personal data. These requirements generally revolve around the transparent marking and disclosing of advertising. It is also important to note here that the main parameters used for configuring the advertising choices are to be disclosed, which may involve processing of personal data. More exactly, the data may refer to user preferences and information on past navigation used to determine the appropriate piece of advertising. Once again, the concern is raised in relation to the prohibition of decisions based on automatic processing of personal data and profiling. Seeing this, appropriate technical and organisational measures are highly recommended.

Recommender systems

Similarly to advertising, the selection and ordering of a user's personal feed result from choices made by the provider based on certain data about the user. This set of information may or may not involve personal data. Nonetheless, the EDPB considers that, in most cases, current practices for recommender systems involve processing of personal data, as this allows the content to be presented more efficiently and in a more personalised manner.

Consequently, several risks are involved by recommender systems, regulated by Articles 27 and 38 of the DSA. EDPB lists here the risk derived from the processing of personal data on a large scale, potentially lacking accuracy and transparency, as well as the required safeguards for special categories of data, which may also be processed in order to personalise the content shown to the user. Behavioural analysis used by recommender systems for prediction constitutes profiling under Article 4(4) GDPR, as it evaluates aspects like personal preferences, interests, and behaviour. Even more, it seems that the main concern of the EDPB is the triggering of the GDPR prohibition on automated decisions based on profiling of the data subject, given that the presentation of specific content through a recommender system may be construed as a "decision" under Article 22 of the GDPR.

Special consideration is awarded to very large online platforms ("VLOPs") and very large online search engines ("VLOSESs"). Article 38 of the DSA requires that each of their recommender systems offers at least one option that is not based on profiling, basically allowing the user to access the platform or search engine without any personalised or profiled content being shown. The EDPB suggests that, when the non-profiling option is active, the provider should not collect or otherwise process the user's personal data in order to anticipate future recommendations. Personal data must thus be stored only while the profiling option is active. However, if this option is not selected by the user, the controller must not retain personal data just in case the user changes their mind in the future and returns back to the personalised recommender system.

Protection of minors

Given the high level of protection of minors which is provided by the GDPR, it is of high importance that the EDPB considers Article 28 of the DSA as a possible legal basis for the processing of their personal data. Nonetheless, it is clearly stated that the controller must prove that such processing (for example, in the case of age assurance) is necessary and proportionate to achieve a high level of privacy, safety, and security of minors on their service.

As a principle, EDPB considers that providers should avoid age assurance methods that require the submission of proof of identification, for instance, via government-issued documents. In turn, this may be replaced by less intrusive methods such as only requesting an age range from the user, without requesting the exact date of birth. Additionally, the age data should not be stored permanently, and it should only be used in order to check whether the user meets the conditions to use that service.

In conclusion, the Guidelines reiterate a basic principle of European legislation, in that a corroborated and coordinated approach is quintessential. The interplay between the DSA and the GDPR makes no exception. Therefore, for ISPs, ensuring compliance with the EU framework implies a global awareness of the legal interactions between the two Regulations, a well-noted fact by the EDPB in its Guidelines.

Footnotes

1 Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act).

2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

3 Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.