Brussels, 12 September - During its September plenary meeting, the European Data Protection Board (EDPB) has adopted guidelines on the interplay between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR). These are the first set of EDPB guidelines on the interplay between the GDPR and the EU’s recently adopted digital laws.

The DSA aims to complement the rules of the GDPR to ensure the highest level of protection of fundamental rights in the digital space. Its main goal is to create a safer online environment in which the fundamental rights of all users, including the right to freedom of expression, are protected. It applies to online intermediary services, such as search engines and platforms.

Several provisions included in the DSA entail the processing of personal data by intermediary service providers. The EDPB guidelines contribute to the consistent application of the DSA and of the GDPR, insofar as some provisions of the DSA concern the processing of personal data by intermediary service providers and include references to GDPR concepts and definitions.

While it is up to the competent authorities under the DSA - with the support of the European Board for Digital Services and EU courts - to interpret the DSA, there are a number of provisions which relate to the GDPR.

These include:

• notice-and-action systems that help individuals or entities report illegal content
• recommender systems used by online platforms to automatically present specific content to the users of the platform with a certain relative order or prominence
• the provisions to ensure a high level of privacy, safety, and security of minors and prohibiting that profile-based advertising using their data is presented to them
• transparency of advertising by online platforms
• prohibition of profiling-based advertising using special categories of data 

The EDPB guidelines help to understand how the GDPR should be applied in the context of DSA obligations.

The EDPB also provides practical guidance relating to the cross-regulatory cooperation between authorities to coordinate enforcement which will provide more legal certainty for intermediary service providers and ultimately to protect the rights and freedoms of individuals.

The guidelines will be subject to public consultation, providing stakeholders with the opportunity to comment and provide feedback.

EDPB Chair Anu Talus said: “By clarifying the interplay between the DSA and the GDPR, these guidelines mark a significant step towards ensuring a coherent and effective EU digital rulebook, and they will help uphold the fundamental rights and freedoms of individuals.

I hope that stakeholders, including the competent authorities under the DSA, will make the most of the opportunity to contribute to the public consultation".

More work in the pipeline

Following these first guidelines on the interplay between the GDPR and the DSA, further work is underway with other regulators to clarify the new cross-regulatory landscape and maintain coherent and consistent safeguards for the protection of personal data. In this regard, the EDPB is working on joint guidelines with the European Commission on the interplay between the Digital Markets Act (DMA) and the GDPR, as well as on joint guidelines on the interplay between the AI Act and EU data protection laws.