EDPB’s New Guidance on the DSA–GDPR Interplay: Where Does Digital Accountability Begin, and Where Does It End?

The European Data Protection Board (EDPB) has released a new and highly anticipated guidance clarifying the relationship between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR) — two cornerstone instruments shaping the digital order in Europe.

Although these frameworks were designed with different objectives in mind, both converge on a single question:

Where does data protection end, and where does freedom of expression begin?

This new guidance suggests that such boundaries can no longer be defined solely through legal reasoning; they must also consider ethical, algorithmic, and societal accountability.

🔹 A New Balance Between Platform Power and User Rights

Social media platforms have evolved into more than mere communication spaces — they are now ecosystems that influence identity, reputation, and public discourse.
The DSA aims to strengthen the public responsibility of online platforms, while the GDPR ensures accountability in data processing behind these activities.

The EDPB’s message is clear: every act of content moderation, recommendation, or account suspension constitutes a form of data processing and must therefore comply with GDPR principles — particularly transparency, lawfulness, and accountability.

🔹 Three Key Points from the EDPB Guidance

1️⃣ Transparency Notices:
A simple “your post violated our community rules” is no longer sufficient. Users deserve to know what personal data or algorithmic factors influenced such decisions and how they can contest them.

2️⃣ Profiling & Advertising:
While the DSA limits behavioral advertising, the GDPR defines how those restrictions must be implemented — emphasizing explicit consent and data minimization. Advertising freedom must not turn into behavioral manipulation.

3️⃣ Data Sharing for Research or Oversight:
When platforms share data with authorities or researchers, anonymization and proportionality remain key. “Public interest” is not a license for unrestricted access.

🔹 Tuna Law Firm Insight

According to Dr. Çağrı Tuna,

“This development shows that the law’s role in the digital ecosystem is no longer limited to setting rules — it now provides a moral compass for technology. The DSA–GDPR interplay transforms data protection into a broader concept of digital ethics and institutional conscience.”

🔹 Implications for Türkiye

Even though Türkiye is not bound by EU law, the KVKK’s evolution closely follows the GDPR’s trajectory.
This means global platforms operating locally — or Turkish companies serving EU users — will likely face indirect compliance pressure.
Key action points include:

Enhancing transparency in content removal and restriction decisions,

Auditing algorithmic recommendation systems,

Redesigning consent mechanisms for targeted advertising.

🔹 Conclusion: The New Formula for Digital Trust

The EDPB’s approach underscores that data protection, public safety, transparency, privacy, and freedom of expression now exist in a shared regulatory space.

Digital trust begins not only with protecting the right data — but with asking the right questions.