The GDPR and the DSA (Digital Services Act)

Ahead of our team launching a new solution to assist the Digital Services Act, I'll share some important reminders about some links betweek the GDPR and the DSA.

A key element is the notion of processing personal data as per the definition of the GDPR.

4.1 of the GDPR defines personal data as any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

GDPR refers to intermediary service providers (defined in Articles 12 to 15 of Directive 2000/31/EC).

In Directive 2000/31/EC, these refer to:
- Mere conduits (Article 12)
- Caching (Article 13)
- Hosting (Article 14)
- Monitoring (Article 15)

This means that, although this is processing, under the GDPR it's another story. These intermediary service activities woldn't be considered as "processing" per se since the service provider doesn't know if personal data is embedded within the service provided or not.

Example: A mere conduit. Mere conduts are like the post office. They transfer data from A to B and shouldn't know what is within the data, in the same way the post office shouldn't  know what is in a letter. Customs may open a parcel to see what is inside, but as a government agency, they would be allowed in some circumstances, but not the carrier.

It doesn't mean the companies in the scope of these articles shouldn't comply with the GDPR as an organisation, it means that the specific activities in scope of being "intermediary service providers" wouldn't be part of it for obvious reasons.

One problem for these companies is that if they don't strictly adhere to these criteria, the related activity is likely to be in scope of the GDPR. For instance, if google was using the data from its caching services to add data points to its advertising business. We will probably never know if they do so or not.

Directive 2000/31/EC is now complemented by the DSA. Complemented as Member States may have local legislation under the Directive. The DSA is now applicable to these companies, with new obligations.

What may not have been under the scope of the GDPR may be in the scope of the DSA. Clients of the Bizoneo GRC suite had been able to flag elements in scope of the Directive and now has been enhanced to assist the DSA.

If  your organisation is concerned about intermediary services potentially harvesting personal data, your organiation should:

  • implement strong encryption in transit, ensuring due-dilligence as to who issues the certificates. For instance TLS 1.2 / 1.3 is meant to mitigate.
  • ensure data is encrypted at rest, but check who holds the key,bearing in mind a computer program running in the background needs it somehow.
  • question if CDN / caching is needed. Some global sites may be getting a lot of traffic, maybe not as many as people think. However, many websites aren't optimised for speed, and I know many website owners using cloudflare to cache and compress files because they don't know how to optimise. Hosting locally can solve the third-party caching issue.

Regardless of your concern regarding intermediary services, these measures should be implemented.

There is also a point in the DSA about "dark patterns" to complement those of the GDPR (weird as there is limited enforcement of dark patterns in consent mechanism in the GDPR, but one can hope).

Our team, can help you document your processing activities and assist you on both the GDPR and the DSA. It's as simple as using the contact form..

Claude Saulnier


Post Scriptum (PS):