Please enable javascript in your browser to view this site

Understanding the GDPR’s interplay with the DSA and DMA

The EC and EDPB are seeking to provide regulatory certainty for platforms navigating the overlaps in the EU’s digital regulation through proposed interplay guidelines

The EC and EDPB have opened consultations on guidelines for the interplay between the GDPR and the DSA and the DMA respectively

On 12 September 2025, the European Data Protection Board (EDPB) published a consultation on guidelines for the interplay between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR). Following this, on 9 October 2025, the EC and the EDPB published a similar consultation on guidelines for the interplay between the Digital Markets Act (DMA) and the GDPR. A third consultation on the AI Act’s interplay with the GDPR is also expected but only in Q3 2026, notably after some key provisions of the AI Act will come into force. Amidst the EC’s goals for regulatory simplification and streamlining, these consultations look to provide clarity on the complex interplay and overlap of key digital regulation, making obligations and necessities for compliance clearer for regulated firms. The DSA consultation closes on 31 October 2025, and the DMA version closes on 4 December 2025.

The EDPB’s proposed DSA-GDPR interplay guidelines detail provisions on key issues such as the protection of minors and dark patterns

Given that a number of the DSA’s provisions refer to the protection of personal data as well as profiling and special categories of data, the DSA and the GDPR cover much of the same conduct from many of the same firms. The proposed guidelines cover a range of areas such as the protection of minors, on which the EDPB recognises that the GDPR can provide legal justifications for the processing of the personal data of minors in some contexts when absolutely necessary. This section also recommends that the providers of online platforms should avoid using age assurance mechanisms that enable specific identification of the age of users – also stating that any age or age range recorded as a result should not be kept permanently. With regard to deceptive design patterns, the EDPB explains that the prohibition of dark patterns under the DSA does not apply to practices covered by the GDPR, outlining how to differentiate between the two. Under the guidelines, dark patterns would be subject to the GDPR if they manipulate users into sharing their personal data, leaving dark patterns used for other means to be regulated by the DSA. However, further interplay issues could arise between the GDPR, DSA and forthcoming Digital Fairness Act (DFA), which is also expected to regulate dark patterns used for any purpose among a wider range of platforms. The guidelines also cover clarifications over advertising transparency, the interplay of codes of conduct, provisions on recommender systems as well as notice and action systems used in the reporting of illegal content and more.

The draft guidelines on the DMA-GDPR interplay aim to promote compliance with the GDPR throughout interoperability, data portability and user consent processes

The EC and EDPB’s publication of proposed guidelines on the interplay between the DMA and the GDPR is aimed at reducing uncertainty for regulated firms and ensuring that the requirements of the DMA are applied in line with the GDPR. It is also the first ever set of guidelines to be jointly published by both the EC and the EDPB. One of the key areas the proposed guidelines focuses on is consent. The DMA prohibits designated gatekeepers from processing certain personal data without user consent, and the proposed guidelines explain that this consent must also comply with the GDPR’s requirements, meaning it must be freely given, specific and unambiguous. The guidelines align with the EC’s prior enforcement decision under the DMA regarding “pay or consent” models of data processing, in which Meta was fined €200m (£170.6m). Under both laws, consent cannot be considered freely given if the user’s only other choice is to pay a fee. The guidelines would also require that consent for data processing be enacted by gatekeepers in a single flow that is user-friendly. On data portability, the guidelines discuss the expanded rights of consumers under the DMA, enabling end users and authorised third parties to request personal data from core platform services (CPSs) for a much broader range of reasons than the GDPR allows for. Certain interoperability processes required by the DMA are also subject to the GDPR’s data protection obligations under the guidelines. The guidelines provide further detail on other issues such as data access and anonymisation, the distribution of software applications and other end user consent practices.