Guidelines 3/2025 on the interplay between the Digital Services Act and the GDPR

The Digital Services Act (DSA) sets out various rules and obligations for intermediary service providers. While the DSA is subject to interpretation by the competent authorities under the DSA, the European Board for Digital Services (EBDS), and EU courts, there are a number of provisions that relate to the data protection legal framework, such as rules that refer to ‘profiling’ and ‘special categories of data’ in the meaning of the GDPR, and have implications for the processing of personal data by intermediary service providers. Coherent interpretation and application of the DSA and the GDPR by the competent supervisory authorities under each regulation, as well as adequate mechanisms to ensure this consistency, are important to provide legal certainty for intermediary service providers and ultimately to protect the rights and freedoms of data subjects. These guidelines aim to contribute to the consistent interpretation and application of the DSA and of the GDPR insofar as some provisions of the DSA concern the processing of personal data by intermediary service providers and include references to GDPR concepts and definitions. The guidelines focus on specific provisions of the DSA where there is a significant interplay with the GDPR. The guidelines recognise that efforts to detect, identify, and address (e.g., de-monetise, remove or disable access to) illegal content under Article 7 DSA may involve processing of personal data using different techniques. In addition to highlighting specific risks for individuals that should be mitigated in the context of content moderation, the guidelines clarify under which conditions Article 6(1)(c) or (f) GDPR may serve as a lawful basis for measures to detect, identify and disable illegal content, including by offering examples. […]