In September, the European Data Protection Board (EDPB) published its Guidelines 3/2025 on the interaction between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR).
The message is clear: the DSA does not replace the GDPR — both must be applied together.
In practice, this means that whenever the DSA requires you to process personal data, the GDPR remains your binding legal framework.
For digital platforms and marketplaces, this is a new challenge: it’s no longer enough to simply keep your privacy policy up to date or display a cookie banner. You’ll need to review moderation systems, ads, and age verification tools through a double lens — complying with the DSA without violating the GDPR and ensuring full data protection on your website.
The DSA allows platforms to investigate and remove illegal content. But beware: if you process personal data in that process (for instance, identifying a user who uploads content), you need a valid legal basis under the GDPR or national data protection laws.
For voluntary investigations, the most common legal basis will be legitimate interest, provided you respect proportionality.
If the investigation is carried out under a clear legal obligation, that will be your legal basis.
Additionally, if you use automated systems to block or flag content, you must disclose the logic, error rates, and criteria used. Remember: the GDPR restricts fully automated decisions with significant effects and requires safeguards such as human review.
The DSA also requires platforms to offer mechanisms to report illegal content and submit complaints. This means handling data from reporters, affected users, and third parties — and therefore triggers GDPR obligations for data protection and transparency.
Best practices:
When complaint systems rely on automated processes with significant effects, the GDPR also requires human oversight, just as it does with cookie management or Consent Mode v2 systems.
Infinite scrolls, confusing buttons, or dark patterns that manipulate users into giving consent or data are now prohibited by the DSA.
When these techniques are used to obtain cookie consent or personal information, they also violate the GDPR.
If your interface nudges users toward accepting cookies or doesn’t offer clear options like “Reject all” or “Configure cookies,” you’re breaching both frameworks. The EDPB’s recommendation is simple: redesign your platform and remove any dark patterns related to privacy or cookie banners.
The DSA raises the bar for advertising transparency:
Intensive profiling may count as an automated decision under the GDPR, activating additional obligations: explaining the logic, reasons, and possible consequences to the user.
If you manage marketing campaigns or Consent Mode v2, make sure your cookie banner, legal texts, and privacy policy are properly integrated and GDPR-compliant.
Platforms accessible to minors must apply proportional measures to protect them. Among these:
Every age-verification process must have a valid legal basis, respect data minimization, and, whenever possible, avoid full user identification.
For very large platforms (VLOPs and VLOSEs), the DSA imposes the duty to detect and mitigate systemic risks. When that work involves high-risk data processing, the GDPR requires a data protection impact assessment (DPIA) before deploying large-scale moderation or recommendation systems.
Even if these rules primarily apply to tech giants, they signal where EU regulation is headed — and they’re a useful benchmark for any legal-compliant website or online business handling personal data.
✅ Review moderation processes — define clear legal bases and ensure human review for impactful decisions.
✅ Adjust complaint systems — request minimal data, notify users, and justify each decision.
✅ Redesign interfaces — remove any dark patterns.
✅ Improve ad transparency — show targeting criteria and avoid sensitive data.
✅ Apply age-appropriate protection measures without unnecessary data collection.
✅ If you’re a large platform, conduct impact assessments where needed.
And don’t forget the basics of legal website compliance:
The EDPB’s Guidelines 3/2025 make it clear: the GDPR remains the foundation of data protection, while the DSA adds new transparency and safety obligations in the digital environment.
For platforms, the challenge is not choosing one framework over the other — but applying both coherently. Ultimately, it’s about ensuring users can browse the internet with confidence, knowing their rights are protected and your website stays legally compliant.
Lawwwing helps you keep your website fully compliant, with an automated cookie banner, Consent Mode v2 integration, updated legal texts, and a privacy policy adapted to both the DSA and GDPR.
Discover how Lawwwing makes compliance simple
