Understanding the Connection Between DSA and GDPR

DSA vs GDPR

Table of Contents

  1. What is the GDPR?
  2. Key Differences Between DSA and GDPR
  3. How DSA and GDPR interact
  4. What should businesses do to comply with both DSA and GDPR?

The European Union’s regulatory landscape for digital services has evolved considerably with the Digital Services Act (DSA) working alongside the established General Data Protection Regulation (GDPR). These two frameworks don’t simply coexist; they create a complementary regulatory structure that’s particularly relevant for data protection and user rights in digital advertising.

Understanding their relationship is essential for anyone operating in today’s European digital marketplace, where both regulations create interlocking obligations that directly impact how you handle personal data and operate online platforms. This interplay affects compliance strategies across the digital advertising ecosystem.

What is the GDPR?

The General Data Protection Regulation (GDPR) represents the EU’s comprehensive data protection framework, operational since 25 May 2018. This regulation fundamentally reshaped how personal data must be processed across all EU member states, replacing the previous patchwork of national laws that had evolved from the 1995 Data Protection Directive.

The GDPR applies to any entity processing the personal data of EU citizens and residents, regardless of where your company is based. If you’re targeting or collecting data from people in the EU, these rules govern your operations. The regulation serves a dual purpose: protecting fundamental rights and freedoms of individuals, particularly their right to data protection as enshrined in Article 8 of the EU Charter of Fundamental Rights and operationalised by Article 1 of the regulation, while harmonising data protection laws across Europe to facilitate business operations within the digital single market.

Personal data under the GDPR encompasses more than traditional identifiers. It includes any information relating to an identified or identifiable person, covering online identifiers like cookies and device fingerprints that form the foundation of modern digital advertising operations.

Key Principles of GDPR

The GDPR establishes seven fundamental data processing principles, outlined in Article 5. These principles form the cornerstone of European data protection compliance:

  • ▶  Lawfulness, fairness and transparency are key requirements for all data processing activities;
  • ▶  Purpose limitation demands that personal data be collected for specific, explicit, and legitimate purposes and not processed in ways incompatible with those original purposes;
  • ▶  Data minimisation means you should only collect and process personal data that’s adequate, relevant and necessary for your specified purposes;
  • ▶  Accuracy requires keeping personal data accurate and current, with prompt correction or deletion of inaccurate information;
  • ▶  Storage limitation prevents indefinite data retention, requiring you to keep personal data only as long as necessary for your original purposes;
  • ▶  Integrity and confidentiality demands appropriate security measures to protect personal data against unauthorised or unlawful processing, and against accidental loss, destruction or damage;
  • ▶  Accountability places responsibility on you to demonstrate compliance with all these principles.
What is the DSA?

Key Differences Between DSA and GDPR

While these regulations share common objectives around protecting individual rights, they address different aspects of the digital environment. Understanding these distinctions helps you determine which obligations apply to your specific services and operations.

Aspect GDPR DSA
Primary Objective Protects personal data and privacy rights of individuals Creates a safer digital environment that facilitates innovation and protects consumer rights
Scope of Application Applies to all entities processing personal data of individuals in the EU  Targets intermediary services (e.g. hosting, online platforms, and search engines) provided to users in the EU 
Type of Obligations Focuses on data processing principles, individual rights, and consent frameworks Emphasises transparency, content moderation, risk management, and enhanced obligations for large platforms

 

The GDPR takes a horizontal approach across all sectors processing personal data, whilst the DSA applies only to intermediary services as defined in Article 3 (g), including hosting services and, within them, online platforms that disseminate user content to the public. Basic DSA duties apply to all intermediary services, enhanced requirements govern online platforms, and the most stringent obligations apply to VLOPs and VLOSEs serving over 45 million monthly active users in the EU.

This represents a layered regulatory approach where universal data protection principles work alongside platform-specific governance requirements.

How DSA and GDPR interact

The DSA explicitly states it operates “without prejudice to” the GDPR, meaning both regulations apply simultaneously, and you must comply with whichever provides stronger protection. This creates several important areas of interaction, particularly around data protection rules the DSA introduces for online advertising.

Recommender systems must offer non-profiling alternatives. Where a Very Large  Online Platform or Search Engine uses a recommender system, Article 38 of the DSA requires it to provide at least one recommender system option that doesn’t rely on profiling as defined in the GDPR. This requirement creates a direct connection between DSA obligations and GDPR definitions, requiring you to understand both frameworks for compliant implementation.

The DSA also introduces a complete prohibition on data-driven advertising based on special categories of personal data. Article 26(3) prohibits online platforms from presenting advertisements based on profiling using special categories defined in Article 9(1) of the GDPR. This includes data revealing racial or ethnic origin, political opinions, religious beliefs, health information, or sexual orientation.

Notably, this prohibition applies regardless of consent, making it stricter than the GDPR’s approach, which typically allows processing special category data with explicit consent.

Data-driven advertising targeting minors is entirely prohibited under Article 28(2) of the DSA. Online platforms cannot present profiling-based advertisements when they’re aware with reasonable certainty that the recipient is a minor. This protection works alongside the GDPR’s enhanced safeguards for children’s data, creating enhanced protection for young people online.

These interactions demonstrate how the DSA builds upon GDPR foundations whilst introducing additional protections specific to the digital platform environment. Your data processing practices must satisfy both sets of requirements, particularly when implementing advertising and content personalisation systems.

How DSA work with GDPR

What should businesses do to comply with both DSA and GDPR?

Achieving compliance with both regulations requires integrated policies that address overlapping requirements whilst respecting each framework’s distinct obligations. Your approach should combine data protection principles with platform-specific transparency and safety measures.

  • ▶  Implement detailed advertising transparency under Article 26 of the DSA – You must explain to users the main parameters used to select them as recipients for specific advertisements and provide information about how they can change those parameters. This goes beyond GDPR transparency requirements by demanding real-time, advertisement-specific information rather than general privacy policy statements.
  • ▶  Leverage EDAA’s YourOnlineChoices.eu tool for personalisation – Companies can utilise this industry-developed portal to enable users to express their preferences regarding personalised advertising. This provides a standardised mechanism for users to control advertising choices across multiple services, helping you align with both DSA transparency requirements and GDPR choice obligations.
  • ▶  Establish robust protection for special categories of data – Your compliance strategy must include systems for identifying and protecting special categories of data to ensure you never use this information for advertising purposes under the DSA’s absolute prohibition. This requires clear data classification and processing controls.
  • ▶  Implement age verification and protection systems – Implement proportionate measures to establish reasonable certainty about users’ ages. This might entail deploying age verification or estimation systems to prevent targeting minors with personalised advertising, protecting young people’s data under both frameworks.
  • ▶  Maintain comprehensive documentation and regular auditing – These remain essential for demonstrating compliance with both frameworks. The DSA’s risk assessment requirements for large platforms complement the GDPR’s accountability principle, requiring systematic evaluation and mitigation of potential harms whilst maintaining detailed records of your data processing activities.
DSA GDPR 3

By integrating these approaches, you create a compliance framework that protects user rights under both regulations whilst preserving operational flexibility for legitimate business purposes in the European digital advertising ecosystem. This integrated approach helps build user trust and ensures sustainable business practices in an increasingly regulated digital environment.

DSA GDPR 4 1