In September, the European Data Protection Board (EDPB)<\/strong> published its Guidelines 3\/2025<\/strong> on the interaction between the Digital Services Act (DSA)<\/strong> and the General Data Protection Regulation (GDPR)<\/strong>. In practice, this means that whenever the DSA requires you to process personal data, the GDPR remains your binding legal framework<\/strong>.<\/p>\n\n\n\n For digital platforms<\/strong> and marketplaces<\/strong>, this is a new challenge: it\u2019s no longer enough to simply keep your privacy policy<\/strong> up to date or display a cookie banner<\/strong>. You\u2019ll need to review moderation systems, ads, and age verification tools through a double lens \u2014 complying with the DSA without violating the GDPR<\/strong> and ensuring full data protection on your website<\/strong>.<\/p>\n\n\n\n The DSA allows platforms to investigate and remove illegal content. But beware: if you process personal data<\/strong> in that process (for instance, identifying a user who uploads content), you need a valid legal basis under the GDPR<\/strong> or national data protection laws<\/strong>.<\/p>\n\n\n\n For voluntary investigations, the most common legal basis will be legitimate interest<\/strong>, provided you respect proportionality. Additionally, if you use automated systems<\/strong> to block or flag content, you must disclose the logic, error rates, and criteria used. Remember: the GDPR restricts fully automated decisions with significant effects and requires safeguards such as human review<\/strong>.<\/p>\n\n\n\n The DSA also requires platforms to offer mechanisms to report illegal content and submit complaints. This means handling data from reporters, affected users, and third parties \u2014 and therefore triggers GDPR obligations for data protection and transparency<\/strong>.<\/p>\n\n\n\n Best practices:<\/strong><\/p>\n\n\n\n When complaint systems rely on automated processes with significant effects, the GDPR also requires human oversight<\/strong>, just as it does with cookie management<\/strong> or Consent Mode v2<\/strong> systems.<\/p>\n\n\n\n Infinite scrolls, confusing buttons, or dark patterns that manipulate users into giving consent or data are now prohibited by the DSA<\/strong>. If your interface nudges users toward accepting cookies or doesn\u2019t offer clear options like \u201cReject all\u201d or \u201cConfigure cookies,\u201d you\u2019re breaching both frameworks. The EDPB\u2019s recommendation is simple: redesign your platform<\/strong> and remove any dark patterns<\/strong> related to privacy or cookie banners<\/strong>.<\/p>\n\n\n\n The DSA raises the bar for advertising transparency<\/strong>:<\/p>\n\n\n\n Intensive profiling may count as an automated decision<\/strong> under the GDPR, activating additional obligations: explaining the logic, reasons, and possible consequences to the user.<\/p>\n\n\n\n If you manage marketing campaigns<\/strong> or Consent Mode v2<\/strong>, make sure your cookie banner<\/strong>, legal texts<\/strong>, and privacy policy<\/strong> are properly integrated and GDPR-compliant.<\/p>\n\n\n\n Platforms accessible to minors must apply proportional measures to protect them. Among these:<\/p>\n\n\n\n Every age-verification process<\/strong> must have a valid legal basis, respect data minimization<\/strong>, and, whenever possible, avoid full user identification.<\/p>\n\n\n\n For very large platforms (VLOPs and VLOSEs), the DSA imposes the duty to detect and mitigate systemic risks<\/strong>. When that work involves high-risk data processing, the GDPR requires a data protection impact assessment (DPIA)<\/strong> before deploying large-scale moderation or recommendation systems.<\/p>\n\n\n\n Even if these rules primarily apply to tech giants, they signal where EU regulation<\/strong> is headed \u2014 and they\u2019re a useful benchmark for any legal-compliant website<\/strong> or online business<\/strong> handling personal data.<\/p>\n\n\n\n \u2705 Review moderation processes \u2014 define clear legal bases and ensure human review for impactful decisions. And don\u2019t forget the basics of legal website compliance<\/strong>:<\/p>\n\n\n\n <\/p>\n\n\n\n The EDPB\u2019s Guidelines 3\/2025<\/strong> make it clear: the GDPR<\/strong> remains the foundation of data protection, while the DSA<\/strong> adds new transparency and safety obligations in the digital environment.<\/p>\n\n\n\n For platforms, the challenge is not choosing one framework over the other \u2014 but applying both coherently. Ultimately, it\u2019s about ensuring users can browse the internet with confidence, knowing their rights are protected and your website stays legally compliant<\/strong>.<\/p>\n\n\n\n
The message is clear: the DSA does not replace the GDPR \u2014 both must be applied together.<\/p>\n\n\n\nContent moderation: more guarantees and transparency<\/h2>\n\n\n\n
If the investigation is carried out under a clear legal obligation<\/strong>, that will be your legal basis.<\/p>\n\n\n\nNotification and complaint channels<\/h2>\n\n\n\n
\n
Goodbye to deceptive patterns<\/h2>\n\n\n\n
When these techniques are used to obtain cookie consent<\/strong> or personal information, they also violate the GDPR<\/strong>.<\/p>\n\n\n\nAdvertising and targeting<\/h2>\n\n\n\n
\n
Protection of minors<\/h2>\n\n\n\n
\n
Systemic risks and large platforms<\/h2>\n\n\n\n
Checklist for your digital platform<\/h2>\n\n\n\n
\u2705 Adjust complaint systems \u2014 request minimal data, notify users, and justify each decision.
\u2705 Redesign interfaces \u2014 remove any dark patterns.
\u2705 Improve ad transparency \u2014 show targeting criteria and avoid sensitive data.
\u2705 Apply age-appropriate protection<\/strong> measures without unnecessary data collection.
\u2705 If you\u2019re a large platform, conduct impact assessments<\/strong> where needed.<\/p>\n\n\n\n\n
Conclusion<\/h3>\n\n\n\n
Is your website ready for 2025 compliance?<\/h3>\n\n\n\n