EDPB issues guidelines on GDPR-DSA tension for platforms
New rules recommend legitimate interests as a lawful basis for proactive platform investigations, adding transparency, accuracy and DPIA duties.
On 12 September 2025, the European Data Protection Board (EDPB) adopted draft guidelines detailing how online platforms should reconcile requirements under the GDPR and the Digital Services Act (DSA). The draft is now open for public consultation through 31 October.
The guidelines address key areas of tension, including proactive investigations, notice-and-action systems, deceptive design, recommender systems, age safety and transparency in advertising. They emphasise that DSA obligations must be implemented in ways consistent with GDPR principles.
For instance, the guidelines suggest that proactive investigations of illegal content should generally be grounded on ‘legitimate interests’, include safeguards for accuracy, and avoid automated decisions with legal effects.
Platforms are also told to provide users with non-profiling recommendation systems. The documents encourage data protection impact assessments (DPIAs) when identifying high risks.
The guidance also clarifies that the DSA does not override the GDPR. Platforms subject to both must ensure lawful, fair and transparent processing while integrating risk analysis and privacy by design. The draft guidelines include practical examples and cross-references to existing EDPB documents.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!