ARTICLE
30 December 2025

Interplay Between The Digital Service Act (DSA) And General Data Protection Regulation (GDPR): Draft EDPB Guidelines 3/2025

GA
GVZH Advocates

Contributor

GVZH Advocates logo
GVZH Advocates is a modern, sophisticated legal practice composed of top-tier professionals and rooted in decades of experience in the Maltese legal landscape. Built on the values of acumen, integrity and clarity, the firm is dedicated to providing the highest levels of customer satisfaction, making sure that legal solutions are soundly structured, rigorously tested, and meticulously implemented.
Explore Firm Details
The European Data Protection Board (EDPB) published the first draft guidelines on the interplay between the Digital Services Act (the "DSA") and the General Data Protection Regulation...
European Union Privacy
Andrew J. Zammit and Erika Criscione
Your Author LinkedIn Connections
Andrew J. Zammit’s articles from GVZH Advocates are most popular:
  • with Finance and Tax Executives
  • in European Union
  • in European Union
  • in European Union
  • with readers working within the Law Firm industries

The European Data Protection Board (EDPB) published the first draft guidelines on the interplay between the Digital Services Act1 (the "DSA") and the General Data Protection Regulation2 (the "GDPR"), entitled "Guidelines 3/2025 on the interplay between the DSA and the GDPR".

The proposed guidelines were published on the 11th of September 2025 for public consultation, which was closed on the 31 October 2025.

The publication of the Guidelines 3/2025 is a crucial step in clarifying how online service providers should apply the GDPR in the context of their obligations under the DSA.

The following sections outline some key aspects of the EDPB draft guidelines, with a focus on the good practices that organisations may implement in order to ensure compliance with both the DSA and the GDPR.

Voluntary own-initiative investigations and legal compliance in relation to illegal content

Pursuant to art. 7 of DSA, intermediary service providers may adopt voluntary measures to detect and remove illegal content, provided that such measures are undertaken in good faith and in a diligent manner.

However, the EDPB emphasises that this provision does not give rise to a general obligation on intermediary service providers to monitor content or to actively seek facts, as such obligations are expressly prohibited under art. 8 of the DSA.

The EDPB further clarifies that any investigations carried out under art. 7 DSA should, insofar as possible, avoid the processing of personal data. Where the processing of personal data is nevertheless necessary, intermediary service providers must ensure full compliance with the GDPR.

In practice, service providers may rely on technological tools to detect or identify illegal content, including systems based on machine-learning techniques capable of recognising certain characteristics of content based on prior training.

In such circumstances, the EDPB recommends that providers be able to demonstrate that the processing of personal data through these tools complies with the principle of data minimisation, as well as with the requirements of data protection by design and by default.

The proposed Guidelines further clarify that where detection is voluntary, service providers may use "legitimate interests", under art. 6(1)(f) GDPR, as the appropriate legal basis, supported by a robust balancing test. If detection is imposed by EU laws, art. 6(1)(c) (legal obligation) may apply.

Dark Patterns

Art. 25 of the DSA prohibits the use of deceptive design patterns that interfere with users' autonomous and informed decision-making and manipulate users into making harmful decisions. The EDPB highlights that the prohibition under the DSA shall not apply to the deceptive design practices already covered under GDPR or the EU unfair Commercial Practice Directive.

To determine which regime applies, the EDPB proposes a two-phase assessment which breaks down like this:

1. assess whether personal data is processed, and

2. consider whether the design influences user behaviour in relation to such data processing.

For example, patterns that push recipients of a service to buy a product, such as "there are only a few products left in stock" are unlikely to be caught by the GDPR.

However, if the recipient of the service is manipulated into providing (additional) personal data – for example, "There are only a few products left in stock. Enter your email address now and make a reservation" – then the pattern is subject to the GDPR.

Advertising Transparency

Art. 26 of the DSA establishes specific transparency obligations for providers of online platforms regarding their advertising. In particular, the recipient must be able, from the advertisement, to directly access meaningful information regarding the "main parameters" used to determine the advertisements recipient and, where applicable, information about how to change those parameters. These obligations apply in addition to, and without prejudice to, the transparency requirements set out under art. 13 and 14 GDPR.

The EDPB guidelines also highlight one of the key distinctions between the DSA and the GDPR regarding the timing of information provided to recipient. Under the GDPR, information is to be provided at the time of data collection or before any data processing takes place. In contrast, the DSA requires that information must be presented in real time with the advertisement. Consequently, the data processing necessary to generate and deliver the advertisement will already have taken place by the time the information is displayed under the DSA.

Profiling Based on Special Category Data

The EDPB reinforces the absolute prohibition, under the DSA, to promote adverts based on user profiling which is based on special category data as defined under the GDPR.

The EDPB clarifies that this prohibition applies even when appropriate legal basis is applied to the data processing under the GDPR.

Examples of prohibited practices under the DSA include providing adverts based on inferred religious beliefs via geolocation (for example, visiting places of worship) or shopping behavior (for example, purchasing specific food products).

Protection of minors

The DSA mandates that providers of online platforms should put in place appropriate and proportionate measures to ensure a high level of privacy, safety and security when users are minors. It also explicitly prohibits the presentation of personalised advertising to minors based on profiling.

Providers must ensure that proportionate safeguards are in place according to the risks their services may pose to minors so that adequate technical and organisational measures can be implemented.

The EDPB recognises that relevant provisions of the DSA can qualify as a legal basis for data processing under art. 6(1)(c) GDPR, provided that the controller is able to demonstrate (on a case-by-case basis) that such processing (e.g., in the context of age assurance) is necessary and proportionate to meet the DSA obligations.

Next Step

In the coming months, the EDPB is expected to review the feedback received during the public consultation and, where appropriate, revise the draft Guidelines 3/2025 before proceeding to their formal adoption.

Until the guidelines are finalised, stakeholders subject to both the DSA and the GDPR should monitor developments and begin assessing how the proposed interpretations may affect their compliance strategies, particularly in areas where obligations under the two frameworks intersect.

Footnotes

1. Regulation (EU) 2022/2065 of 19 October 2022.

2. Regulation (EU) 2016/679 of 27 April 2016.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Andrew J. Zammit
Andrew J. Zammit
Photo of Erika Criscione
Erika Criscione
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More