---
title: "DSA vs GDPR: online-platform governance and personal-data obligations"
canonical_url: "https://www.sorena.io/artifacts/eu/digital-services-act/dsa-vs-gdpr"
source_url: "https://www.sorena.io/artifacts/eu/digital-services-act/dsa-vs-gdpr"
author: "Sorena AI"
description: "Compare the EU Digital Services Act and EU GDPR by scope, ads, recommenders, minors, transparency, complaints, enforcement, and evidence."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "DSA vs GDPR"
  - "Digital Services Act"
  - "GDPR"
  - "online platforms"
  - "content moderation"
  - "personal data"
  - "recommender systems"
  - "DSA"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# DSA vs GDPR: online-platform governance and personal-data obligations

Compare the EU Digital Services Act and EU GDPR by scope, ads, recommenders, minors, transparency, complaints, enforcement, and evidence.

*Comparison* *EU*

## DSA vs GDPR what each law actually governs

Use this comparison to separate DSA duties for intermediary services and online-platform governance from GDPR duties for personal-data processing.

The split matters for ads, recommenders, minors, transparency notices, complaints, enforcement routes, and the evidence a platform should keep.

The Digital Services Act and GDPR can both affect the same online service, but they answer different questions. The DSA regulates intermediary services, platform accountability, illegal-content processes, advertising transparency, recommender transparency, trader traceability, and systemic-risk governance for very large services. GDPR regulates processing of personal data: lawful basis, transparency, data-subject rights, controller and processor roles, security, breach notification, transfers, retention, and accountability.

## DSA vs GDPR: practical differences for online services

Use these rows to decide which law controls the workstream, what evidence belongs on each side, and where the same product feature needs both.

- **Digital Services Act**: The DSA side focuses on intermediary-service and online-platform governance: illegal-content processes, content moderation, marketplace duties, ads, recommenders, transparency, complaint routes, and VLOP/VLOSE systemic risks.
- **GDPR**: The GDPR side focuses on personal-data processing: lawful basis, transparency, rights, controller and processor roles, security, breach response, DPIAs, transfers, retention, and accountability.

| Dimension | Digital Services Act | GDPR | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope boundary | Intermediary services offered to recipients in the Union, with duties increasing for hosting services, online platforms, marketplaces, and VLOPs/VLOSEs. | Processing of personal data wholly or partly by automated means, or non-automated processing in a filing system, by controllers and processors within GDPR scope. | Classify the service under the DSA and the processing operation under GDPR. One classification does not answer the other. | [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports keeping the DSA service classification separate from GDPR processing classification.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports keeping the GDPR processing classification separate from DSA service classification. |
| Covered actors | Trust and safety, platform policy, marketplace operations, advertising, recommender-system, legal, transparency-reporting, and VLOP/VLOSE risk owners. | Privacy, legal, security, product, data governance, DPO where required, processor-management, data-rights, breach-response, and transfer owners. | Use a shared product owner only if each legal view still has a named accountable owner and separate evidence. | [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports the need to retain DSA-specific accountability even when one product owner coordinates implementation.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the need to retain GDPR-specific accountability even when one product owner coordinates implementation. |
| Trigger | DSA advertising work covers ad labelling, information about who presented and paid for the ad, targeting parameters, restrictions on certain profiling-based ads, and VLOP/VLOSE ad repositories where applicable. | GDPR advertising work covers the lawful basis for processing, consent or legitimate-interest analysis where used, profiling transparency, special-category limits, objection rights, and automated-decision safeguards where applicable. | An ad disclosure that satisfies the DSA does not by itself prove that the underlying personal-data processing is lawful under GDPR. | [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports the DSA side of the advertising-disclosure obligation.<br>[European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Supports VLOP/VLOSE advertising repository and enhanced advertising-transparency references.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the separate GDPR requirement to justify and explain personal-data processing.<br>[Data Protection Commission - Guidance on Legal Bases for Processing Personal Data](https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data?ref=sorena.io) - Supports the practical lawful-basis split for personal-data processing used in advertising systems. |
| Core obligations | DSA recommender work covers clear terms explaining main parameters, user options to modify or influence those parameters, and for VLOPs/VLOSEs at least one option not based on profiling. | GDPR recommender work covers whether the system processes personal data, whether it profiles users, what lawful basis applies, what transparency is given, and whether Article 22 automated-decision rules are triggered. | Keep recommender documentation in two layers: a DSA user-facing parameter layer and a GDPR processing, profiling, and rights layer. | [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports DSA recommender-system parameter transparency and user-option references.<br>[European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Supports the DSA recommender documentation layer for large designated services.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the GDPR processing and rights layer for recommender systems using personal data. |
| Evidence record | Service classification, average monthly active recipient (AMAR) calculations, terms updates, notice-and-action logs, statement-of-reasons records, complaint outcomes, trader checks, ad disclosures, recommender explanations, transparency report inputs, VLOP/VLOSE risk assessments, mitigation files, audits, and data-access records. | Controller and processor role analysis, lawful-basis records, privacy notices, RoPA, DPIAs, data-rights logs, processor terms, breach assessments, transfer safeguards, retention schedules, security measures, and supervisory-authority correspondence. | Evidence can live in one repository, but each item should be labelled DSA, GDPR, or both and tied to the obligation it supports. | [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports labelling evidence that proves DSA-specific platform duties.<br>[European Commission - DSA Transparency Database Q&A](https://digital-strategy.ec.europa.eu/en/faqs/dsa-transparency-database-questions-and-answers?ref=sorena.io) - Supports statement-of-reasons export and Transparency Database evidence references.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports labelling evidence that proves GDPR-specific accountability duties.<br>[Data Protection Commission - Records of Processing Activities under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports the RoPA fields used in the GDPR evidence list. |
| Timing and deadlines | DSA timing is driven by service launch, platform-status changes, content or account decisions, statement-of-reasons submission, transparency reporting, average monthly active recipient (AMAR) updates, VLOP/VLOSE designation, risk assessment, audit, and regulator requests. | GDPR timing is driven by data collection, notice delivery, rights-request handling, breach awareness and notification, DPIA or prior consultation before high-risk processing, processor onboarding, transfers, retention, and deletion. | A single product calendar should surface both clocks: DSA clocks for platform governance and GDPR clocks for processing, rights, and breach handling. | [European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Supports including DSA platform-governance clocks in product planning.<br>[European Commission - DSA Transparency Database Q&A](https://digital-strategy.ec.europa.eu/en/faqs/dsa-transparency-database-questions-and-answers?ref=sorena.io) - Supports statement-of-reasons and Transparency Database workflow references.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports including GDPR rights, breach, DPIA, transfer, retention, and deletion clocks in product planning. |
| Enforcement | DSA enforcement involves Digital Services Coordinators and Commission powers for VLOPs/VLOSEs. The DSA permits Commission fines up to 6% of worldwide annual turnover for relevant VLOP/VLOSE infringements and lower caps for certain information failures. | GDPR enforcement involves supervisory authorities, cooperation and consistency mechanisms, corrective powers, and administrative fines. Serious GDPR infringements can reach EUR 20 million or 4% of total worldwide annual turnover, whichever is higher. | Escalate to the regulator route tied to the actual issue: platform governance under DSA, personal-data processing under GDPR, or both when the facts overlap. | [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports DSA Commission enforcement powers and the 6% fine cap for relevant VLOP/VLOSE infringements.<br>[European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Supports the Commission's role for designated VLOPs and VLOSEs.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports routing GDPR issues through supervisory authorities and GDPR remedies.<br>[European Commission - The Digital Services Act](https://digital-strategy.ec.europa.eu/en/policies/digital-services-act?ref=sorena.io) - Supports routing DSA issues through DSA supervisory and enforcement structures. |
| Overlap and reuse | DSA work focuses on high levels of privacy, safety, and security for minors on online platforms, plus limits on presenting ads based on profiling when the provider knows with reasonable certainty that the recipient is a minor. | GDPR work focuses on child-specific transparency, child consent rules for information-society services when consent is the lawful basis, and special care when legitimate interests may be overridden by a child's rights and freedoms. | Age assurance, default settings, ad limits, and child notices should be reviewed together, but the DSA safety file and the GDPR child-data file should remain distinct. | [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports DSA Article 28 minor-protection and profiling-based advertising references.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the separate GDPR child-data review for processing based on consent or legitimate interests.<br>[European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Supports the DSA systemic-risk references to children, minors, recommender systems, and advertising systems for VLOPs/VLOSEs. |
| Practical decision rule | DSA transparency includes platform terms, content-moderation explanations, statement-of-reasons records, transparency reports, ad disclosures, recommender explanations, AMAR publication, and VLOP/VLOSE risk and audit publication where applicable. | GDPR transparency includes Articles 12 to 14 notices, information about purposes, lawful basis, recipients, retention, rights, complaint routes, profiling, and international transfers where applicable. | A DSA transparency report is not a privacy notice. A privacy notice is not a DSA statement of reasons or moderation transparency report. | [European Commission - DSA Transparency Database Q&A](https://digital-strategy.ec.europa.eu/en/faqs/dsa-transparency-database-questions-and-answers?ref=sorena.io) - Supports keeping statement-of-reasons records separate from privacy-notice evidence.<br>[European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Supports VLOP/VLOSE transparency duties for ads, recommenders, audits, risk reporting, and data access.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports keeping GDPR notice evidence separate from DSA transparency reports. |

Sources for Scope boundary - Digital Services Act:

- [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports the DSA scope statement for intermediary services offered to recipients in the Union.
  - Quote: "intermediary services"

Sources for Scope boundary - GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the GDPR processing-scope statement for automated and filing-system personal-data processing.
  - Quote: "processing of personal data"

Sources for Scope boundary - operational implication:

- [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports keeping the DSA service classification separate from GDPR processing classification.
  - Quote: "intermediary services"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports keeping the GDPR processing classification separate from DSA service classification.
  - Quote: "personal data"

Sources for Covered actors - Digital Services Act:

- [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports the DSA owner set by tying it to platform, content moderation, advertising, recommender, marketplace, transparency, and VLOP/VLOSE duties.
  - Quote: "online platforms"

Sources for Covered actors - GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the GDPR owner set by tying it to controller, processor, DPO, security, breach, rights, transfer, and accountability duties.
  - Quote: "controller or processor"

Sources for Covered actors - operational implication:

- [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports the need to retain DSA-specific accountability even when one product owner coordinates implementation.
  - Quote: "due diligence obligations"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the need to retain GDPR-specific accountability even when one product owner coordinates implementation.
  - Quote: "accountability"

Sources for Trigger - Digital Services Act:

- [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports DSA advertising-transparency and profiling-related ad restrictions.
  - Quote: "online advertising"
- [European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Supports VLOP/VLOSE advertising repository and enhanced advertising-transparency references.
  - Quote: "advertising"

Sources for Trigger - GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR lawful-basis, profiling, transparency, objection, and automated-decision references.
  - Quote: "profiling"
- [Data Protection Commission - Guidance on Legal Bases for Processing Personal Data](https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data?ref=sorena.io) - Supports the practical lawful-basis split for personal-data processing used in advertising systems.
  - Quote: "legal basis"

Sources for Trigger - operational implication:

- [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports the DSA side of the advertising-disclosure obligation.
  - Quote: "advertisements"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the separate GDPR requirement to justify and explain personal-data processing.
  - Quote: "lawfulness of processing"

Sources for Core obligations - Digital Services Act:

- [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports DSA recommender-system parameter transparency and user-option references.
  - Quote: "recommender systems"
- [European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Supports the VLOP/VLOSE duty to provide a recommender option not based on user profiling.
  - Quote: "not based on user profiling"

Sources for Core obligations - GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR profiling, transparency, and automated-decision references for recommender systems using personal data.
  - Quote: "automated decision-making"

Sources for Core obligations - operational implication:

- [European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Supports the DSA recommender documentation layer for large designated services.
  - Quote: "recommender systems"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the GDPR processing and rights layer for recommender systems using personal data.
  - Quote: "profiling"

Sources for Evidence record - Digital Services Act:

- [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports the DSA evidence categories for service classification, platform duties, transparency, complaints, ads, recommenders, and VLOP/VLOSE risk controls.
  - Quote: "transparency reports"
- [European Commission - DSA Transparency Database Q&A](https://digital-strategy.ec.europa.eu/en/faqs/dsa-transparency-database-questions-and-answers?ref=sorena.io) - Supports statement-of-reasons export and Transparency Database evidence references.
  - Quote: "statements of reasons"

Sources for Evidence record - GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the GDPR evidence categories for processing, rights, security, breaches, transfers, and accountability.
  - Quote: "records of processing activities"
- [Data Protection Commission - Records of Processing Activities under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports the RoPA fields used in the GDPR evidence list.
  - Quote: "RoPA"

Sources for Evidence record - operational implication:

- [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports labelling evidence that proves DSA-specific platform duties.
  - Quote: "due diligence obligations"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports labelling evidence that proves GDPR-specific accountability duties.
  - Quote: "accountability"

Sources for Timing and deadlines - Digital Services Act:

- [European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Supports VLOP/VLOSE designation timing, AMAR publication, and recurring enhanced-duty references.
  - Quote: "four months"
- [European Commission - DSA Transparency Database Q&A](https://digital-strategy.ec.europa.eu/en/faqs/dsa-transparency-database-questions-and-answers?ref=sorena.io) - Supports statement-of-reasons and Transparency Database workflow references.
  - Quote: "daily dump files"

Sources for Timing and deadlines - GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR timing references for notices, rights requests, breach notification, DPIAs, transfers, retention, and deletion.
  - Quote: "72 hours"

Sources for Timing and deadlines - operational implication:

- [European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Supports including DSA platform-governance clocks in product planning.
  - Quote: "at least every 6 months"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports including GDPR rights, breach, DPIA, transfer, retention, and deletion clocks in product planning.
  - Quote: "without undue delay"

Sources for Enforcement - Digital Services Act:

- [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports DSA Commission enforcement powers and the 6% fine cap for relevant VLOP/VLOSE infringements.
  - Quote: "6 %"
- [European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Supports the Commission's role for designated VLOPs and VLOSEs.
  - Quote: "VLOPs"

Sources for Enforcement - GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR supervisory-authority enforcement and the EUR 20 million or 4% administrative fine cap for serious infringements.
  - Quote: "4 %"

Sources for Enforcement - operational implication:

- [European Commission - The Digital Services Act](https://digital-strategy.ec.europa.eu/en/policies/digital-services-act?ref=sorena.io) - Supports routing DSA issues through DSA supervisory and enforcement structures.
  - Quote: "Digital Services Coordinators"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports routing GDPR issues through supervisory authorities and GDPR remedies.
  - Quote: "supervisory authority"

Sources for Overlap and reuse - Digital Services Act:

- [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports DSA Article 28 minor-protection and profiling-based advertising references.
  - Quote: "protection of minors"

Sources for Overlap and reuse - GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR child-consent, child-specific transparency, and child-rights balancing references.
  - Quote: "child"

Sources for Overlap and reuse - operational implication:

- [European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Supports the DSA systemic-risk references to children, minors, recommender systems, and advertising systems for VLOPs/VLOSEs.
  - Quote: "children's rights"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the separate GDPR child-data review for processing based on consent or legitimate interests.
  - Quote: "child's consent"

Sources for Practical decision rule - Digital Services Act:

- [European Commission - DSA Transparency Database Q&A](https://digital-strategy.ec.europa.eu/en/faqs/dsa-transparency-database-questions-and-answers?ref=sorena.io) - Supports statement-of-reasons evidence and Transparency Database references.
  - Quote: "statements of reasons"
- [European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Supports VLOP/VLOSE transparency duties for ads, recommenders, audits, risk reporting, and data access.
  - Quote: "transparency"

Sources for Practical decision rule - GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR transparency duties for information to data subjects and communications about rights.
  - Quote: "transparent information"

Sources for Practical decision rule - operational implication:

- [European Commission - DSA Transparency Database Q&A](https://digital-strategy.ec.europa.eu/en/faqs/dsa-transparency-database-questions-and-answers?ref=sorena.io) - Supports keeping statement-of-reasons records separate from privacy-notice evidence.
  - Quote: "statements of reasons"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports keeping GDPR notice evidence separate from DSA transparency reports.
  - Quote: "data subject"

### How to use the comparison

- Ask whether the problem is about intermediary-service or platform governance, personal-data processing, or both.
- For DSA, classify the service tier and the platform feature: moderation, marketplace, ad, recommender, transparency, complaint, or VLOP/VLOSE risk.
- For GDPR, classify the processing purpose, role, lawful basis, data categories, recipients, retention, rights impact, and security needs.
- Keep one cross-reference between the two files when the same feature supports both regimes, but do not merge their legal conclusions.

Sources for the practical decision rule:

- [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports the DSA service-tier and platform-feature questions used in this comparison.
  - Quote: "intermediary services"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the GDPR processing-purpose, role, lawful-basis, rights, and accountability questions used in this comparison.
  - Quote: "personal data"

## The short version

Start with the activity. If the issue is content moderation, marketplace traceability, platform terms, notices about illegal content, recommender choices, ad labelling, transparency reports, or VLOP/VLOSE systemic-risk files, the DSA workstream is likely in view.

If the issue is collecting, using, disclosing, storing, profiling, securing, deleting, transferring, or responding to requests about personal data, the GDPR workstream is in view. Many ad, recommender, safety, and moderation systems need both workstreams because the DSA governs platform behaviour while GDPR governs the personal-data processing behind it.

- DSA evidence should show the service category, moderation workflow, user-facing explanations, complaint route, transparency report inputs, advertising or recommender disclosure, and VLOP/VLOSE risk controls where applicable.
- GDPR evidence should show the controller or processor role, lawful basis, notice content, data-subject rights handling, RoPA entry, security measures, DPIA where required, breach assessment, transfer safeguard, and retention rule.
- Do not treat DSA transparency as a substitute for GDPR transparency. A statement of reasons for moderation and a privacy notice for personal-data processing serve different legal functions.

Sources for this answer:

- [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports the DSA scope, service-tier, content-moderation, platform, advertising, recommender, complaint, transparency, and enforcement obligations used in the comparison.
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the GDPR scope, lawful-basis, rights, security, breach, supervisory-authority, and fine references used in the comparison.

## Where overlap usually happens

Overlap is common in ads, recommenders, age assurance, anti-abuse tooling, account enforcement, trusted flagger queues, research access, and transparency reporting. The same event can create a DSA record and a GDPR record: for example, a content demotion may need a DSA moderation explanation and a GDPR assessment if profiling, special-category data, automated decision-making, or user-rights requests are involved.

A useful operating model keeps one product inventory but two legal views. The DSA view classifies the service and platform obligation. The GDPR view classifies the processing purpose, lawful basis, role, data categories, recipients, retention, and data-subject impact.

- For advertising, keep DSA ad-label and repository evidence separate from GDPR lawful-basis, consent, legitimate-interest, profiling, and transparency evidence.
- For recommender systems, keep DSA parameter and non-profiling-option evidence separate from GDPR profiling, transparency, and automated-decision evidence.
- For minors, keep DSA safety-by-design and age-assurance evidence separate from GDPR child-consent, child-specific transparency, and data-minimisation evidence.

Sources for this answer:

- [European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Supports the VLOP/VLOSE threshold and enhanced duties for advertising transparency, recommender systems, systemic-risk assessment, audits, data access, and non-profiling recommender options.
- [Data Protection Commission - Guidance on Legal Bases for Processing Personal Data](https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data?ref=sorena.io) - Supports the GDPR comparison point that any personal-data processing needs a legal basis such as consent, contract, legal obligation, vital interests, public task, or legitimate interests.

## Complaints and user remedies are not the same

Under the DSA, an online-platform user may be dealing with notice-and-action, a moderation restriction, an internal complaint system, an out-of-court dispute settlement body, or a complaint to a Digital Services Coordinator. The evidence should show what action the platform took on content, accounts, goods, services, ads, or platform terms.

Under GDPR, the person is asserting rights over personal data or complaining that processing infringes GDPR. The evidence should show identity checks where needed, the request or complaint type, deadline handling, data located, exemptions considered, response given, and any supervisory-authority correspondence.

- A DSA appeal file should explain the platform decision and the DSA route offered to the recipient of the service.
- A GDPR rights file should show the data-subject request, the controller response, and the basis for any refusal or restriction.
- If one user message includes both a moderation appeal and a data-access request, split it into both queues instead of forcing one route to absorb the other.

Sources for this answer:

- [European Commission - The Digital Services Act](https://digital-strategy.ec.europa.eu/en/policies/digital-services-act?ref=sorena.io) - Supports the DSA user-rights framing for content removal explanations, appeals, illegal-content reporting, minor protection, and complaints to a Digital Services Coordinator.
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR rights, complaint rights to supervisory authorities, and judicial remedy references.

## Evidence split for audits and enforcement

DSA enforcement evidence usually starts with the provider's service category and the obligation tier. For VLOPs and VLOSEs, the record expands to user-number evidence, risk assessments, mitigation measures, audits, data-access handling, recommender options, advertising transparency, and Commission or Digital Services Coordinator communications.

GDPR enforcement evidence starts with the processing operation. A controller or processor should be able to show why processing is lawful, what notice was given, how rights are handled, what security measures exist, how breaches are assessed and notified, how processors are instructed, and how transfers and retention are controlled.

- Keep DSA content-moderation logs and statement-of-reasons exports with platform-policy, notice, action, complaint, and report fields.
- Keep GDPR RoPA, DPIA, data-rights, breach, processor, transfer, and retention records with processing-purpose and lawful-basis fields.
- Where a shared system feeds both regimes, add obligation labels to the evidence so a reviewer can see which record supports DSA, GDPR, or both.

Sources for this answer:

- [European Commission - DSA Transparency Database Q&A](https://digital-strategy.ec.europa.eu/en/faqs/dsa-transparency-database-questions-and-answers?ref=sorena.io) - Supports the statement-of-reasons and Transparency Database evidence references for DSA moderation decisions.
- [Data Protection Commission - Records of Processing Activities under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports the GDPR RoPA evidence references for purposes, categories, recipients, transfers, retention, and security measures.

## Timing and deadlines

DSA timing is driven by service launch, platform-status changes, content or account decisions, statement-of-reasons submission, transparency reporting, average monthly active recipient (AMAR) updates, VLOP/VLOSE designation, risk assessment, audit, and regulator requests.

GDPR timing is driven by data collection, notice delivery, rights-request handling, breach awareness and notification, DPIA or prior consultation before high-risk processing, processor onboarding, transfers, retention, and deletion.

## Enforcement

DSA enforcement involves Digital Services Coordinators and Commission powers for VLOPs/VLOSEs. The DSA permits Commission fines up to 6% of worldwide annual turnover for relevant VLOP/VLOSE infringements and lower caps for certain information failures.

GDPR enforcement involves supervisory authorities, cooperation and consistency mechanisms, corrective powers, and administrative fines. Serious GDPR infringements can reach EUR 20 million or 4% of total worldwide annual turnover, whichever is higher.

## Overlap and reuse

DSA work focuses on high levels of privacy, safety, and security for minors on online platforms, plus limits on presenting ads based on profiling when the provider knows with reasonable certainty that the recipient is a minor.

GDPR work focuses on child-specific transparency, child consent rules for information-society services when consent is the lawful basis, and special care when legitimate interests may be overridden by a child's rights and freedoms.

## Practical decision rule

DSA transparency includes platform terms, content-moderation explanations, statement-of-reasons records, transparency reports, ad disclosures, recommender explanations, AMAR publication, and VLOP/VLOSE risk and audit publication where applicable.

GDPR transparency includes Articles 12 to 14 notices, information about purposes, lawful basis, recipients, retention, rights, complaint routes, profiling, and international transfers where applicable.

*Recommended next step*

*Placement: before sources*

## Build one inventory with two legal views

Sorena can help turn a shared platform, ad, recommender, or moderation system into separate DSA and GDPR evidence views without merging the underlying duties.

- [Open Research Copilot](/solutions/research-copilot.md): Ask grounded questions about DSA and GDPR obligations using the cited sources on this page.
- [Review a DSA and GDPR overlap](/contact.md): Walk through platform governance, ad, recommender, minor-safety, privacy, and evidence gaps with Sorena.

## Primary sources

- [Regulation (EU) 2022/2065 (Digital Services Act)](https://eur-lex.europa.eu/eli/reg/2022/2065/oj?ref=sorena.io) - Supports the DSA service-tier and platform-feature questions used in this comparison.
  - Quote: "intermediary services"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the GDPR processing-purpose, role, lawful-basis, rights, and accountability questions used in this comparison.
  - Quote: "personal data"
- [European Commission - DSA: Very large online platforms and search engines](https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops?ref=sorena.io) - Supports VLOP/VLOSE transparency duties for ads, recommenders, audits, risk reporting, and data access.
  - Quote: "transparency"
- [European Commission - DSA Transparency Database Q&A](https://digital-strategy.ec.europa.eu/en/faqs/dsa-transparency-database-questions-and-answers?ref=sorena.io) - Supports keeping statement-of-reasons records separate from privacy-notice evidence.
  - Quote: "statements of reasons"
- [Data Protection Commission - Guidance on Legal Bases for Processing Personal Data](https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data?ref=sorena.io) - Supports the practical lawful-basis split for personal-data processing used in advertising systems.
  - Quote: "legal basis"
- [Data Protection Commission - Records of Processing Activities under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports the RoPA fields used in the GDPR evidence list.
  - Quote: "RoPA"
- [European Commission - The Digital Services Act](https://digital-strategy.ec.europa.eu/en/policies/digital-services-act?ref=sorena.io) - Supports routing DSA issues through DSA supervisory and enforcement structures.
  - Quote: "Digital Services Coordinators"

## Related Topic Guides

- [DSA Ads and Recommender Systems: transparency duties, user choice, and evidence](/artifacts/eu/digital-services-act/ads-and-recommender-systems.md): A grounded DSA guide to ad labels, targeting restrictions, recommender parameter disclosure, non-profiling options for VLOPs and VLOSEs, ad repositories, and compliance evidence.
- [DSA Applicability Test: classify intermediary services, platforms, marketplaces, VLOPs and VLOSEs](/artifacts/eu/digital-services-act/applicability-test.md): A source-grounded EU Digital Services Act applicability test for classifying intermediary services, hosting services, online platforms, marketplaces, VLOPs and VLOSEs.
- [DSA Article 28 minors protection guide for online platforms](/artifacts/eu/digital-services-act/minors-protection.md): EU Digital Services Act guide to Article 28 minors protection: platform scope, child-safety measures, targeted ads limits, recommender controls, and grounded evidence.
- [DSA average monthly active recipients: what platforms must publish](/artifacts/eu/digital-services-act/faq/average-monthly-active-recipients.md): A grounded FAQ on average monthly active recipients under the EU Digital Services Act, including publication, EU recipient scope, the 45 million VLOP/VLOSE threshold, and evidence records.
- [DSA Complaint and Dispute Workflows for Online Platforms](/artifacts/eu/digital-services-act/complaint-and-dispute-workflows.md): Build DSA complaint, appeal, statement-of-reasons, and out-of-court dispute workflows for online platform moderation decisions.
- [DSA crisis response for VLOPs and VLOSEs](/artifacts/eu/digital-services-act/crisis-response.md): EU Digital Services Act crisis response guide for VLOPs and VLOSEs: Article 36 Commission decisions, Article 48 crisis protocols, mitigation, governance, requests for information, and records.
- [DSA Dark Patterns: interface design checks for online platforms](/artifacts/eu/digital-services-act/dark-patterns.md): Article 25 DSA guidance for reviewing online platform interfaces for deceptive, manipulative, or choice-distorting design patterns.
- [DSA Enforcement and Penalties in the EU](/artifacts/eu/digital-services-act/enforcement-penalties-and-investigations.md): How Digital Services Act enforcement works: Commission and Digital Services Coordinator roles, VLOP and VLOSE investigations, fines, periodic penalty payments, and evidence readiness.
- [DSA illegal content notices: what must be included?](/artifacts/eu/digital-services-act/faq/illegal-content-notice.md): A grounded FAQ on EU Digital Services Act illegal-content notices: Article 16 notice elements, acknowledgement, decision notices, trusted flagger priority, statements of reasons, and records.
- [DSA Marketplace Trader Traceability FAQ](/artifacts/eu/digital-services-act/faq/marketplace-trader-traceability.md): Answer to what EU Digital Services Act Article 30 requires online marketplaces to collect, verify, display, retain, and evidence for trader traceability.
- [DSA Marketplace Trader Traceability Guide](/artifacts/eu/digital-services-act/marketplace-trader-traceability.md): EU Digital Services Act guide for online marketplaces collecting, checking, displaying, storing, and evidencing trader traceability information.
- [DSA notice and action plus statements of reasons guide](/artifacts/eu/digital-services-act/notice-and-action-plus-statements-of-reasons.md): A grounded Digital Services Act guide for notice intake, moderation decisions, statements of reasons, DSA Transparency Database submission, complaints, appeals, trusted flaggers, and records.
- [DSA Notice and Action Workflow for Hosting Services and Online Platforms](/artifacts/eu/digital-services-act/notice-and-action-workflow.md): A grounded DSA notice-and-action workflow covering notice intake, completeness checks, trusted flaggers, decisions, user communications, statements of reasons, appeals, and records.
- [DSA recommender transparency FAQ: Article 27 and VLOP options](/artifacts/eu/digital-services-act/faq/recommender-transparency.md): What EU Digital Services Act recommender transparency requires: main parameters, user options, VLOP/VLOSE non-profiling choices, and evidence to keep.
- [DSA researcher data access for VLOPs and VLOSEs](/artifacts/eu/digital-services-act/researcher-data-access.md): Article 40 DSA guide to vetted researcher data access for VLOPs and VLOSEs: DSC requests, eligibility checks, amendment grounds, confidentiality, security, and evidence records.
- [DSA service tier classifier for platforms, marketplaces, VLOPs and VLOSEs](/artifacts/eu/digital-services-act/service-tier-classifier-workflow.md): Classify a digital service under the EU Digital Services Act as intermediary, hosting, online platform, marketplace, VLOP or VLOSE, with EU recipient-count evidence and obligation outputs.
- [DSA statement of reasons FAQ](/artifacts/eu/digital-services-act/faq/statement-of-reasons.md): When DSA statements of reasons are required, what they must contain, when online platforms submit them to the DSA Transparency Database, and what appeal records to keep.
- [DSA statement of reasons log workflow for online platforms](/artifacts/eu/digital-services-act/statement-of-reasons-log-workflow.md): Build a DSA statement of reasons log for moderation decisions, Transparency Database submission, complaint links, retention, and QA controls.
- [DSA transparency report template fields and cadence](/artifacts/eu/digital-services-act/dsa-transparency-report-template.md): A source-grounded template outline for Digital Services Act transparency reports, covering applicable service tiers, reporting periods, CSV/XLSX format, retention, statement-of-reasons links, and required evidence tables.
- [DSA Transparency Reporting Obligations by Provider Tier](/artifacts/eu/digital-services-act/transparency-reporting.md): A grounded guide to EU Digital Services Act transparency reports, active-recipient publication, statements-of-reasons submissions, VLOP/VLOSE reports, templates, cadence, and evidence.
- [DSA VLOP and VLOSE Risk Assessments and Mitigation Guide](/artifacts/eu/digital-services-act/risk-assessments-and-mitigation.md): Grounded guide to Digital Services Act systemic risk assessments, mitigation measures, audits, transparency reports, data access, and governance evidence for VLOPs and VLOSEs.
- [DSA VLOP Audit Pack Workflow: Risk, Mitigation, Audit, and Transparency Records](/artifacts/eu/digital-services-act/vlop-audit-pack-workflow.md): Build a DSA VLOP or VLOSE audit pack covering Article 34 risk assessments, Article 35 mitigations, independent-audit evidence, transparency reports, data access, and compliance governance.
- [DSA VLOP Risk Assessment FAQ: Article 34, Mitigation, Audits](/artifacts/eu/digital-services-act/faq/vlop-risk-assessment.md): What VLOPs and VLOSEs must assess under the EU Digital Services Act, when to reassess, how Article 35 mitigation and annual audit evidence fit together, and what records to keep.
- [DSA vs DMA Platform Rules](/artifacts/eu/digital-services-act/dsa-vs-dma.md): Compare the EU Digital Services Act and Digital Markets Act by scope, designation thresholds, obligations, enforcement, evidence, and practical team ownership.
- [DSA vs P2B Regulation: EU platform obligations compared](/artifacts/eu/digital-services-act/dsa-vs-p2b.md): Compare the EU Digital Services Act with the Platform-to-Business Regulation for platform scope, business-user terms, content moderation, ranking transparency, complaints, enforcement, and evidence.
- [DSA vs Terrorist Content Online Regulation: notice-and-action vs removal orders](/artifacts/eu/digital-services-act/dsa-vs-terrorist-content-online-regulation.md): Compare DSA content-governance duties with the EU Terrorist Content Online Regulation removal-order workflow for scope, timing, evidence, authorities, and team ownership.
- [EU Digital Services Act checklist for platforms and hosting services](/artifacts/eu/digital-services-act/checklist.md): A grounded DSA checklist for classifying service tiers, notice-and-action, statements of reasons, complaints, transparency reports, ads, recommenders, trader traceability, VLOP/VLOSE duties, and evidence records.
- [EU Digital Services Act Compliance Guide](/artifacts/eu/digital-services-act/compliance.md): DSA compliance guide for intermediary services, hosting providers, online platforms, marketplaces, and VLOP/VLOSE teams: obligations, controls, and evidence to keep.
- [EU Digital Services Act FAQ: DSA scope, platform duties, VLOPs, reports, and penalties](/artifacts/eu/digital-services-act/faq.md): Concise EU Digital Services Act FAQ covering intermediary-service scope, active-recipient thresholds, illegal-content notices, statements of reasons, trader traceability, recommender transparency, systemic-risk duties, reporting, penalties, and complaints.
- [EU Digital Services Act penalties and fines: caps and enforcement roles](/artifacts/eu/digital-services-act/penalties-and-fines.md): DSA penalty caps and enforcement roles: Member State fines, Commission fines for VLOPs and VLOSEs, 1% procedural fines, and 5% periodic penalty payments.
- [EU Digital Services Act requirements by service tier](/artifacts/eu/digital-services-act/requirements.md): Overview of DSA obligations for intermediary services, hosting providers, online platforms, marketplaces, VLOPs and VLOSEs, including notices, complaints, ads, transparency reports, audits, data access and enforcement.
- [EU Digital Services Act service types and scope](/artifacts/eu/digital-services-act/service-types-and-scope.md): Classify DSA service scope across mere conduit, caching, hosting, online platforms, marketplaces, online search engines, and VLOP/VLOSE threshold duties.
- [EU DSA deadlines and compliance calendar: application dates, reporting cycles, and VLOP clocks](/artifacts/eu/digital-services-act/deadlines-and-compliance-calendar.md): Calendar view of grounded EU Digital Services Act dates: full application, user-number publication, VLOP/VLOSE designation clocks, statements of reasons, and transparency reporting cycles.
- [EU DSA Transparency Calendar: reporting, SoR database, AMAR updates](/artifacts/eu/digital-services-act/transparency-calendar.md): Build a DSA transparency calendar for annual reports, statement-of-reasons database submissions, active-recipient updates, and VLOP/VLOSE audit touchpoints.
- [EU DSA vs UK Online Safety Act: scope, duties, regulator, and evidence](/artifacts/eu/digital-services-act/dsa-vs-uk-online-safety-act.md): Compare the EU Digital Services Act and UK Online Safety Act for platform scope, risk assessments, child protection, transparency, regulators, enforcement, and owners.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/digital-services-act/dsa-vs-gdpr