Are you subject to implementing the DSA? Don’t forget about GDPR!

definicja budowli

Table of Contents:

  1. Digital Services Act (DSA) – Scope of Application
  2. Who is Required to Implement DSA?
  3. Implementing DSA – New Responsibilities
  4. DSA and GDPR Obligations

On February 17, 2024, the Digital Services Act (DSA) came into force. By implementing its obligations, administrators are undertaking new personal data processing activities, necessitating the update of GDPR processes and documentation.

Digital Services Act (DSA) – Scope of Application

When referring to the DSA, we mean Regulation (EU) 2022/2065 of the European Parliament and of the Council of October 19, 2022, on the single market for digital services and amending Directive 2000/31/EC. Contrary to common belief, it does not only concern internet giants like Google or Facebook but also smaller entities qualified as providers of “intermediary services.”

Who is Required to Implement DSA?

To answer this question, it is necessary to clarify who qualifies as a provider of intermediary services. The Regulation specifies that an intermediary service includes “mere conduit,” “caching,” and “hosting services.” Crucially, hosting services are broadly defined as the storage of information provided by a recipient of the service at their request. In this sense, providers of hosting services include not only cloud service providers and hosting platforms but also social media, internet platforms, search engines, online stores, and entities providing internet forums or blogs with commenting capabilities.

Implementing DSA – New Responsibilities

Entities subject to the DSA must appoint a point of contact and ensure mechanisms for moderating published content. They must also establish procedures for responding to breaches and the publication of illegal content, as well as an appeals procedure for users. It is advisable to develop cooperation rules with law enforcement agencies. These are just a few of the changes envisaged by the DSA. Some of those not mentioned above will not apply to micro and small enterprises as defined in EU Recommendation 2003/361/EC.

DSA and GDPR Obligations

It is worth noting that the new obligations under the DSA involve new data processing activities under the GDPR, impacting the currency of applied documents and safeguards. New data processing activities must be included in the records of processing activities maintained under Article 30(1) of the GDPR. Regarding these new activities, a risk analysis must also be conducted to identify potential violations of the rights and freedoms of data subjects. The analysis may also necessitate a data protection impact assessment.

3.5