European Union: European Data Protection Board opened consultation on guidelines 3/2025 on interplay between Digital Services Act and General Data Protection Regulation

On 12 September 2025, the European Data Protection Board (EDPB) opened a consultation on the guidelines 3/2025 on the interplay between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR) until 31 October 2025. The guidelines provide technical clarification on provisions of the DSA that involve the processing of personal data by intermediary service providers. They address legal bases for voluntary own-initiative investigations under Article 7 DSA and the processing of personal data in notice-and-action and internal complaint-handling mechanisms under Articles 16, 17, 20 and 23 DSA. Another section examines the limits on automated decision-making consistent with Article 22 GDPR. The consultation further examines deceptive design patterns prohibited by Article 25 DSA when these practices involve personal data. It discusses transparency obligations under Article 26 DSA on advertising. It also reviews the relationship of profiling restrictions with Articles 9 and 22 GDPR. The guidelines additionally cover recommender systems under Articles 27 and 38 DSA, protections for minors under Article 28 DSA, and systemic risk assessments under Articles 34 and 35 DSA. Finally, they examine the governance framework requiring cooperation between Digital Services Coordinators, the European Commission, the European Board for Digital Services, and national data protection authorities.