DSA vs GDPR what each law actually governs

Intermediary services offered to recipients in the Union, with duties increasing for hosting services, online platforms, marketplaces, and VLOPs/VLOSEs.

Processing of personal data wholly or partly by automated means, or non-automated processing in a filing system, by controllers and processors within GDPR scope.

Classify the service under the DSA and the processing operation under GDPR. One classification does not answer the other.

Trust and safety, platform policy, marketplace operations, advertising, recommender-system, legal, transparency-reporting, and VLOP/VLOSE risk owners.

Privacy, legal, security, product, data governance, DPO where required, processor-management, data-rights, breach-response, and transfer owners.

Use a shared product owner only if each legal view still has a named accountable owner and separate evidence.

DSA advertising work covers ad labelling, information about who presented and paid for the ad, targeting parameters, restrictions on certain profiling-based ads, and VLOP/VLOSE ad repositories where applicable.

GDPR advertising work covers the lawful basis for processing, consent or legitimate-interest analysis where used, profiling transparency, special-category limits, objection rights, and automated-decision safeguards where applicable.

An ad disclosure that satisfies the DSA does not by itself prove that the underlying personal-data processing is lawful under GDPR.

DSA recommender work covers clear terms explaining main parameters, user options to modify or influence those parameters, and for VLOPs/VLOSEs at least one option not based on profiling.

GDPR recommender work covers whether the system processes personal data, whether it profiles users, what lawful basis applies, what transparency is given, and whether Article 22 automated-decision rules are triggered.

Keep recommender documentation in two layers: a DSA user-facing parameter layer and a GDPR processing, profiling, and rights layer.

Service classification, average monthly active recipient (AMAR) calculations, terms updates, notice-and-action logs, statement-of-reasons records, complaint outcomes, trader checks, ad disclosures, recommender explanations, transparency report inputs, VLOP/VLOSE risk assessments, mitigation files, audits, and data-access records.

Controller and processor role analysis, lawful-basis records, privacy notices, RoPA, DPIAs, data-rights logs, processor terms, breach assessments, transfer safeguards, retention schedules, security measures, and supervisory-authority correspondence.

Evidence can live in one repository, but each item should be labelled DSA, GDPR, or both and tied to the obligation it supports.

DSA timing is driven by service launch, platform-status changes, content or account decisions, statement-of-reasons submission, transparency reporting, average monthly active recipient (AMAR) updates, VLOP/VLOSE designation, risk assessment, audit, and regulator requests.

GDPR timing is driven by data collection, notice delivery, rights-request handling, breach awareness and notification, DPIA or prior consultation before high-risk processing, processor onboarding, transfers, retention, and deletion.

A single product calendar should surface both clocks: DSA clocks for platform governance and GDPR clocks for processing, rights, and breach handling.

DSA enforcement involves Digital Services Coordinators and Commission powers for VLOPs/VLOSEs. The DSA permits Commission fines up to 6% of worldwide annual turnover for relevant VLOP/VLOSE infringements and lower caps for certain information failures.

GDPR enforcement involves supervisory authorities, cooperation and consistency mechanisms, corrective powers, and administrative fines. Serious GDPR infringements can reach EUR 20 million or 4% of total worldwide annual turnover, whichever is higher.

Escalate to the regulator route tied to the actual issue: platform governance under DSA, personal-data processing under GDPR, or both when the facts overlap.

DSA work focuses on high levels of privacy, safety, and security for minors on online platforms, plus limits on presenting ads based on profiling when the provider knows with reasonable certainty that the recipient is a minor.

GDPR work focuses on child-specific transparency, child consent rules for information-society services when consent is the lawful basis, and special care when legitimate interests may be overridden by a child's rights and freedoms.

Age assurance, default settings, ad limits, and child notices should be reviewed together, but the DSA safety file and the GDPR child-data file should remain distinct.

DSA transparency includes platform terms, content-moderation explanations, statement-of-reasons records, transparency reports, ad disclosures, recommender explanations, AMAR publication, and VLOP/VLOSE risk and audit publication where applicable.

GDPR transparency includes Articles 12 to 14 notices, information about purposes, lawful basis, recipients, retention, rights, complaint routes, profiling, and international transfers where applicable.

A DSA transparency report is not a privacy notice. A privacy notice is not a DSA statement of reasons or moderation transparency report.