Summary statistics
Overlaps: 6 · Conflicts: 2 · Gaps: 2
10 article-level crossrefs catalogued between DSA and GDPR from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.
All crossrefs between these regulations
| Article (A) | Article (B) | Type | Severity | Description |
|---|---|---|---|---|
| DSA Art 11 | GDPR Art 30 | overlap | low | [entity affected: provider of intermediary services] Both regulations require entities to designate a contact point for authorities; DSA specifies a single point of contact for electronic communicatio |
| DSA Art 12 | GDPR Art 12 | overlap | low | [entity affected: provider of intermediary services] Both regulations mandate that entities provide user-friendly, easily accessible mechanisms for recipients to communicate with them regarding their |
| DSA Art 14 | GDPR Art 12 | overlap | low | [entity affected: provider of intermediary services] Both regulations require terms and conditions or privacy information to be presented in clear, plain, intelligible, and easily accessible language. |
| DSA Art 20 | GDPR Art 22 | overlap | medium | [entity affected: provider of online platforms] Both regulations require human oversight for decisions affecting users; DSA mandates staff supervision for complaint handling, while GDPR requires human |
| DSA Art 17 | GDPR Art 15 | overlap | medium | [entity affected: provider of hosting services] Both regulations require providing specific reasons and information to users regarding actions taken on their data or content, ensuring transparency in |
| DSA Art 28 | GDPR Art 8 | overlap | high | [entity affected: provider of online platforms] Both regulations impose specific obligations regarding the protection of minors, including restrictions on profiling/advertising in DSA and age verifica |
| DSA Art 10 | GDPR Art 5 | conflict | medium | [entity affected: provider of intermediary services] DSA Art 10 limits information orders to data already collected for service provision, which may conflict with GDPR Art 5's purpose limitation princ |
| DSA Art 18 | GDPR Art 6 | conflict | high | [entity affected: provider of hosting services] DSA Art 18 mandates reporting criminal threats to law enforcement, which may conflict with GDPR Art 6 if the processing lacks a specific legal basis or |
| DSA Art ? | GDPR Art ? | gap | medium | [entity affected: provider of intermediary services] Neither regulation explicitly defines the liability standard for 'negligent' compliance failures in cross-border scenarios where local DSA enforcem |
| DSA Art ? | GDPR Art ? | gap | medium | [entity affected: provider of online platforms] There is no clear guidance on how to reconcile DSA's requirement for rapid content moderation with GDPR's right to be forgotten when the content is not |
Conflicts explained
The 2 article-level conflicts between DSA and GDPR mean a control that satisfies one can pull the wrong way on the other:
- DSA Art 10 vs GDPR Art 5 — [entity affected: provider of intermediary services] DSA Art 10 limits information orders to data already collected for service provision, which may conflict with GDPR Art 5's purpose limitation principle if the original purpose did not include law enforcement cooperation.
- DSA Art 18 vs GDPR Art 6 — [entity affected: provider of hosting services] DSA Art 18 mandates reporting criminal threats to law enforcement, which may conflict with GDPR Art 6 if the processing lacks a specific legal basis or legitimate interest justification for that specific disclosure.
Which regulation takes precedence
EU law does not lay down a universal precedence rule between DSA and GDPR. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.
What this means for your compliance team
Treat the 6 overlaps as design opportunities — one control, two regulatory anchors. Treat the 2 conflicts as escalation paths to legal: the regulations themselves don't resolve them, you do, and you document the reasoning. The 2 gaps point at scenarios where one regulation is silent while the other speaks — assume the regulator who has the explicit rule will win.
Related Fontvera pages
- dsa obligations online advertising
- dsa obligations online platforms
- dsa vs eprivacy comparison
- dsa vs nis2 comparison
Check your full compliance exposure with the 5-minute Fontvera diagnostic →