Digital Services Act: Mapping the Interplays with the GDPR
This resource maps the interplays between the Digital Services Act and the GDPR.
Contributors:
Müge Fazlioglu
CIPP/E, CIPP/US
Principal Researcher, Privacy Law and Policy
IAPP
This infographic is part of a series that maps different EU digital laws with the GDPR.
The Digital Services Act applies tiered obligations to various classes of intermediary service providers, imposing the strictest rules upon entities designated by the European Commission as very large online platforms and very large online search engines. The DSA aims to create a safe, predictable and trusted online environment by preventing the dissemination of illegal content, reducing societal risks stemming from the spread of disinformation and preserving fundamental rights. These aims are complementary to those of the EU General Data Protection Regulation, which seeks to protect the fundamental rights of data subjects. To better harmonize the overlapping obligations of the DSA and GDPR, the European Data Protection Board has adopted formal guidelines on their interplay.
This resource, drawing from the EU Digital Laws Report 2025, maps interplays between the DSA and the GDPR.
The IAPP additionally hosts a Digital Services Act: 101 chart, which is part of a European Strategy for Data series, which provides an overview of EU privacy, cybersecurity and AI legislation.
Digital Services Act and GDPR interplay mapping
Digital Services Act
- Article 7
ISPs may carry out voluntary investigations of their own initiative and take measures to detect, identify remove and/or disable access to illegal content online
GPDR
- Articles 5 and 6(1)(c, f)
Processing of personal data under Article 7 DSA must observe the principles of Article 5 GDPR and other obligations of controllers. Legitimate interests may serve as the most appropriate legal basis for ISPs to process personal data to develop measures to detect, identify and disable illegal content.
Digital Services Act
- Articles 16-17 and 22
Processing of personal data under Article 7 DSA must observe the principles of Article 5 GDPR and other obligations of controllers. Legitimate interests may serve as the most appropriate legal basis for ISPs to process personal data to develop measures to detect, identify and disable illegal content.
GPDR
- Articles 5(1)(c) and 13
Personal data collected from the notifier should be limited to what is necessary for this specific purpose and generally not beyond what is referred to in Article 16(2) DSA. If the notifier’s personal data is communicated to the affected recipient of the service, the notifier (i.e., the data subject) should be kept informed.
Digital Services Act
- Articles 20 and 23
Providers of online platforms may be required to carry out further processing of personal data in order to comply with their obligations to provide recipients of their service, as well as individuals and entities that have submitted a notice via Article 16 DSA, with an internal complaint-handling system, and suspend the provision of their services to recipients that frequently provide illegal content.
GPDR
- Articles 5 and 12-14
When providers of online platforms act as controllers in conducting their Article 20 DSA obligations, they should respect the rights and remedies available to data subjects pursuant to the GDPR, in particular the principles of data minimization, accuracy, transparency and data retention.
Digital Services Act
- Article 25 and Recitals 67, 81 and 83
Article 25(1) DSA requires providers of online platforms to avoid the use of deceptive design patterns in their interfaces, but, according to Article 25(2) DSA, this prohibition does not apply to the practices of providers covered by the GDPR or by the Unfair Commercial Practices Directive.
GPDR
- Articles 4(11), 5(1)(a-c), 7, 12 and 25
When assessing whether a deceptive design pattern is covered within the scope of the GDPR, key considerations include whether personal data is being processed and whether the pattern influences a data subject’s behavior in relation to that processing of personal data.
Digital Services Act
- Article 26(1) and Recitals 68 and 107
Providers of online platforms must be transparent toward recipients of their services regarding advertisements presented on their interfaces. This information may be provided after the processing of personal data may have occurred.
GPDR
- Articles 13-14
In contrast to Article 26 DSA, Article 13 GDPR requires that information be provided at the time when personal data is obtained before the processing takes place.
Digital Services Act
- Article 26(3)
The use of special categories of data to present advertisements based on profiling is prohibited.
GPDR
- Articles 4(4), 6(1), 9(1-2) and 22(4)
The prohibition on the use of special categories of data applies even in situations where the provider of the online platform would otherwise rely on an appropriate legal basis under GDPR Article 6(1) and an appropriate derogation under GDPR Article 9(2) for its processing.
Digital Services Act
- Articles 3(s), 27 and 38
When providing different options for recommender systems to users, providers of online platforms should not nudge users to select the option for a recommender system that is based on profiling.
GPDR
- Articles 4(4) and 22(1)
VLOPs and VLOSEs that use recommender systems must provide at least one option not based on profiling as defined under GDPR Article 4(4). The presentation of specific content to a user of an online platform via a recommender system would be considered a “decision” within the meaning of GDPR Article 22(1), especially when it can have serious consequences for individuals.
Digital Services Act
- Article 28(1-2)
When putting in place measures to ensure a high level of privacy, safety and security for minors (e.g., age assurance), providers of online platforms may rely on Article 28(1-2) of the DSA as a legal basis for the processing of personal data under GDPR Article 6(1)(c).
GPDR
- Articles 4(4), 6(1)(c) and 6(3)
Processing personal data under Article 28 DSA must still adhere to the general requirements of the GDPR and the controller must demonstrate that such processing is necessary and proportionate.
Digital Services Act
- Articles 34-35
VLOPs and VLOSEs must manage systemic risks of their services, including risks to fundamental rights such as privacy and the protection of personal data.
GPDR
- Articles 5(1)(c), 25 and 35
Data minimization and data protection by design and by default may contribute to the management of systemic risks by VLOPs and VLOSEs. Under Article 35 GDPR, a data protection impact assessment is likely to be required if a systemic risk is identified.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Submit for CPEsContributors:
Müge Fazlioglu
CIPP/E, CIPP/US
Principal Researcher, Privacy Law and Policy
IAPP
Tags:
