Summary statistics
Overlaps: 6 · Conflicts: 0 · Gaps: 2
8 article-level crossrefs catalogued between DSA and GDPR from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.
All crossrefs between these regulations
| Article (A) | Article (B) | Type | Severity | Description |
|---|---|---|---|---|
| DSA Art 11 | GDPR Art 30 | overlap | low | [entity affected: provider of intermediary services] Both regulations require entities to designate a contact point for authorities; DSA specifies a single point of contact for electronic communicatio |
| DSA Art 12 | GDPR Art 12 | overlap | low | [entity affected: provider of intermediary services] Both regulations mandate that entities provide user-friendly, easily accessible mechanisms for recipients to communicate with them regarding their |
| DSA Art 14 | GDPR Art 12 | overlap | low | [entity affected: provider of intermediary services] Both regulations require terms and conditions or privacy information to be presented in clear, plain, intelligible, and easily accessible language. |
| DSA Art 20 | GDPR Art 22 | overlap | medium | [entity affected: provider of online platforms] Both regulations require human oversight for decisions affecting users; DSA mandates staff supervision for complaint handling, while GDPR requires human |
| DSA Art 17 | GDPR Art 15 | overlap | medium | [entity affected: provider of hosting services] Both regulations require providing specific reasons and information to users regarding actions taken on their data or content, ensuring transparency in |
| DSA Art 28 | GDPR Art 8 | overlap | high | [entity affected: provider of online platforms] Both regulations impose specific obligations regarding the protection of minors, including restrictions on profiling/advertising in DSA and age verifica |
| DSA Art ? | GDPR Art ? | gap | medium | [entity affected: provider of intermediary services] Neither regulation explicitly defines the liability standard for 'negligent' compliance failures in cross-border scenarios where local DSA enforcem |
| DSA Art ? | GDPR Art ? | gap | medium | [entity affected: provider of online platforms] There is no clear guidance on how to reconcile DSA's requirement for rapid content moderation with GDPR's right to be forgotten when the content is not |
Overlaps explained
No conflict-type crossrefs were catalogued for this pair, but the 6 overlaps below mean a single control can be designed to satisfy both regulations at once. Plan the controls jointly to avoid duplicate effort:
- DSA Art 28 vs GDPR Art 8 (high severity) — [entity affected: provider of online platforms] Both regulations impose specific obligations regarding the protection of minors, including restrictions on profiling/advertising in DSA and age verification/consent rules in GDPR.
- DSA Art 20 vs GDPR Art 22 (medium severity) — [entity affected: provider of online platforms] Both regulations require human oversight for decisions affecting users; DSA mandates staff supervision for complaint handling, while GDPR requires human intervention for automated decision-making.
- DSA Art 17 vs GDPR Art 15 (medium severity) — [entity affected: provider of hosting services] Both regulations require providing specific reasons and information to users regarding actions taken on their data or content, ensuring transparency in decision-making.
- DSA Art 11 vs GDPR Art 30 (low severity) — [entity affected: provider of intermediary services] Both regulations require entities to designate a contact point for authorities; DSA specifies a single point of contact for electronic communication, while GDPR requires contact details for the Data Protection Officer or controller.
- DSA Art 12 vs GDPR Art 12 (low severity) — [entity affected: provider of intermediary services] Both regulations mandate that entities provide user-friendly, easily accessible mechanisms for recipients to communicate with them regarding their rights or service issues.
- DSA Art 14 vs GDPR Art 12 (low severity) — [entity affected: provider of intermediary services] Both regulations require terms and conditions or privacy information to be presented in clear, plain, intelligible, and easily accessible language.
Which regulation takes precedence
EU law does not lay down a universal precedence rule between DSA and GDPR. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.
What this means for your compliance team
Treat the 6 overlaps as design opportunities — one control, two regulatory anchors. Treat the 0 conflicts as escalation paths to legal: the regulations themselves don't resolve them, you do, and you document the reasoning. The 2 gaps point at scenarios where one regulation is silent while the other speaks — assume the regulator who has the explicit rule will win.
Related Fontvera pages
- dsa vs nis2 comparison
- ai act art 17 provider obligations
- ai act art 70 commission obligations
- ai act authorized representative
Check your full compliance exposure with the 5-minute Fontvera diagnostic →