Excerpt from Osborne Clarke Article, Published on November 27, 2025
The European Data Protection Board (EDPB) has released Guidelines 3/2025 to clarify how the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR) should operate together in practice. This new guidance arrives at a time when digital regulation continues to expand, and organisations must understand how overlapping compliance duties apply across different legal frameworks.
A central message from the EDPB is that the DSA does not replace or diminish GDPR obligations. Whenever a platform carries out tasks under the DSA that involve processing personal data, GDPR requirements continue to apply in full. This principle affects several core areas of digital – platform operations.
One major focus is content moderation. Under the DSA, platforms must provide mechanisms for users to report illegal content, but this process inevitably involves handling personal data from notifiers, content creators, or affected individuals. As a result, GDPR principles — including data minimisation, transparency, and the need for a lawful basis — remain essential.
Advertising rules also receive attention. The DSA requires platforms to disclose details about sponsored content and targeting criteria. Yet many targeted – advertising activities qualify as profiling under the GDPR, which introduces additional duties such as explaining automated decision – making and ensuring safeguards where sensitive data is involved. The EDPB makes clear that platforms may not rely on sensitive data for profiling – based ads under any circumstances.
Another highlighted topic is the use of “dark patterns,” or design choices meant to manipulate user behaviour. If a design feature involves processing personal data, then GDPR rules apply alongside the DSA’s restrictions. For instance, a scarcity prompt followed by a request for personal information must still comply with GDPR fairness and transparency standards.
For services accessible to minors, the EDPB stresses the importance of proportionate, privacy – preserving age – assurance methods. Collecting unnecessary or excessive data, such as government IDs, should be avoided.
Overall, the guidance reinforces the need for platforms to integrate “data protection by design,” ensuring coordinated compliance with both the DSA and GDPR.
To delve deeper into this topic, visit Osborne Clarke.
