European data protection board clarifies DSA compliance for marketers

The European Data Protection Board (EDPB) adopted Guidelines 3/2025 on September 11, 2025, establishing how digital marketers must navigate the complex intersection between the Digital Services Act and the General Data Protection Regulation. According to the EDPB, these guidelines address critical compliance gaps where platforms process personal data while meeting DSA obligations.

The 38-page document outlines specific scenarios where marketing activities trigger both DSA and GDPR requirements simultaneously. Advertising transparency obligations under Article 26 DSA require platforms to provide real-time information about advertisement parameters, while GDPR mandates prior disclosure before data collection begins. According to the guidelines, "information required under Article 26 DSA would be provided after a processing of personal data may have occurred," creating temporal coordination challenges for compliance teams.

Marketing professionals face heightened restrictions on profiling activities under the combined framework. The EDPB clarifies that Article 26(3) DSA prohibits advertisement presentation "based on profiling using special categories of personal data" regardless of GDPR derogations. This prohibition applies even when providers rely on appropriate legal bases under Article 6(1) GDPR and valid derogations under Article 9(2) GDPR. According to Mateusz Kupiec from the Polish Academy of Sciences Institute of Law Studies, who analyzed the guidelines on LinkedIn, the prohibition "complements GDPR restrictions, reinforcing a layered protection regime."

Content moderation systems require careful legal basis assessment under both frameworks. The EDPB establishes that voluntary detection of illegal content under Article 7 DSA necessitates either legitimate interest under Article 6(1)(f) GDPR or legal obligation under Article 6(1)(c) GDPR. According to the guidelines, controllers must demonstrate processing necessity through balancing tests that consider data subject expectations and proportionality requirements.

Children receive enhanced protection under the dual regulatory approach. Article 28 DSA mandates high privacy, safety, and security levels for minors, while GDPR establishes specific consent and processing restrictions. The guidelines emphasize risk-based age assurance that avoids "unambiguous online identification" through government-issued documentation. According to the EDPB, providers should "not estimate or verify and permanently store the age or age range of the recipient" but rather record qualification status for service access.

Recommender systems face algorithmic transparency requirements that may trigger automated decision-making provisions. The EDPB notes that content presentation through algorithmic curation could constitute Article 22(1) GDPR decisions when producing significant effects on users. Platforms providing multiple recommender options must present choices equally without nudging toward profiling-based systems. During non-profiling operation periods, providers cannot "continue to collect and process personal data to profile the user."

Notice and action mechanisms under Articles 16 and 17 DSA involve substantial personal data processing requiring GDPR compliance. Hosting providers must implement notification systems that enable but do not require notifier identification unless necessary for illegal content determination. According to the guidelines, providers should collect only necessary contact information and limit notifier identity disclosure to affected recipients when "strictly necessary."

Very Large Online Platforms face enhanced risk assessment obligations under Articles 34 and 35 DSA that often mandate Data Protection Impact Assessments under GDPR Article 35. The EDPB indicates systemic risk identification likely triggers mandatory DPIA requirements when processing affects fundamental rights. Risk mitigation measures must align with data protection by design and default obligations while addressing large-scale processing concerns.

Deceptive design patterns receive parallel prohibition under both regulatory frameworks. Article 25(1) DSA prohibits patterns impairing autonomous decision-making, while GDPR fairness principles prevent manipulative data collection. The guidelines specify that GDPR coverage depends on whether patterns influence personal data processing behavior rather than general commercial decisions.

Enforcement coordination between Digital Services Coordinators and data protection authorities requires sincere cooperation under EU Treaty obligations. The EDPB emphasizes mutual consultation requirements when authorities examine intermediary service provider conduct under parallel frameworks. According to the guidelines, such cooperation improves legal certainty while avoiding regulatory inconsistencies and ne bis in idem violations.

Advertising industry stakeholders have expressed concerns about overlapping regulatory frameworks, arguing that comprehensive rules already exist through DSA, GDPR, and Unfair Commercial Practices Directive coverage. IAB Europe previously published transparency implementation approaches for meeting DSA advertising disclosure requirements through standardized data formats and industry coordination.

The guidelines emerge amid ongoing implementation challenges across member states. German businesses have systematically exploited DSA notification mechanisms to remove critical reviews, while the European Commission recently defended the framework against censorship allegations by citing 35% success rates for content restoration appeals.

Technical implementation requirements emphasize privacy-preserving approaches to dual compliance. The EDPB recommends zero-knowledge proofs and local processing solutions that minimize additional tracking or profiling risks. Security measures receive particular attention given the sensitive nature of age verification and advertising transparency data flows.

Code of conduct development under Article 45 DSA must coordinate with GDPR Article 40 provisions to ensure regulatory consistency. The EDPB welcomes Commission encouragement for voluntary frameworks while emphasizing data protection authority involvement in advertising-related code development. Key performance indicators should complement both DSA risk mitigation and GDPR accountability requirements.

Cross-border enforcement presents coordination challenges between national competent authorities and data protection supervisory authorities. While Member States may designate different authorities for DSA supervision, the principle of sincere cooperation requires consultation when examining intermediary service provider conduct under parallel frameworks. The European Commission maintains exclusive Very Large Online Platform supervision powers under DSA Section 5 obligations.

Implementation timelines vary across platforms and obligations. Current enforcement includes formal proceedings against major American technology companies, with X reportedly facing over €1 billion in potential penalties. The guidelines provide immediate applicability for ongoing compliance assessments while supporting long-term regulatory coherence objectives.

Marketing technology providers must establish governance frameworks addressing both DSA transparency and GDPR accountability requirements. Documentation obligations include processing purposes, legal bases, technical safeguards, and risk mitigation measures across content moderation, advertising delivery, and user protection systems.

Timeline

Key developments in DSA-GDPR regulatory convergence:

• October 19, 2022: European Parliament passes Digital Services Act
• November 2022: DSA enters into force with varied compliance deadlines
• February 17, 2024: DSA becomes fully operational for all platforms
• November 6, 2023: IAB Europe publishes DSA transparency approach summary
• February 12, 2025: EDPB details new age verification rules for digital services
• July 26, 2025: House committee exposes DSA impact on American political speech
• August 28, 2025: European Commission dismisses censorship claims around DSA implementation
• September 11, 2025: EDPB adopts Guidelines 3/2025 on DSA-GDPR interplay

Summary

Who: The European Data Protection Board published guidelines affecting digital marketers, online platforms, Very Large Online Platforms, advertising technology providers, and data protection authorities across 27 EU member states.

What: Guidelines 3/2025 establish compliance requirements for processing personal data while meeting Digital Services Act obligations, covering advertising transparency, content moderation, age verification, recommender systems, and enforcement coordination.

When: The EDPB adopted the guidelines on September 11, 2025, with immediate applicability for ongoing DSA compliance assessments and long-term regulatory coherence objectives.

Where: The framework applies across all European Union member states for intermediary service providers processing personal data under both DSA and GDPR jurisdiction, with extraterritorial effects for global platforms.

Why: The guidelines address critical compliance gaps where DSA provisions reference GDPR concepts without clear implementation guidance, ensuring coherent interpretation and preventing regulatory inconsistencies that could undermine both user protection and legal certainty.