The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

GDPR evolution through the EU Data Strategy – 3

There are several provisions of the DGA, DMA, DSA, and the proposed EHDS that intersect those of the GDPR realizing on various issues a composite discipline from multiple sources.

In this round, we will focus on the news concerning:

  • Minors  
  • Risk assessment  
  • Profiling  
  • Forbidden data processing 
  • Audits and independent controls  
  • European authorities and committees  
  • Data transfers to non-EU countries  
  • Complaints and appeals  
  • Fines.
Figure – Summary of key EU data legislation.


The DSA recognizes greater protections for minors by requiring providers of online platforms, which are accessible to minors, to take measures that are capable of ensuring a high level of protection to privacy, safety and security (Article 28, DSA). 

Online platform providers are subject to the ban on targeted advertising – that is, based on profiling according to the GDPR –  if they use personal data of a child as the recipient of the service. 

For the DSA, “an online platform may be considered accessible to minors when its general terms and conditions allow minors to use the service, when its service is directed at or used predominantly by minors, or if the provider is otherwise aware that some of the recipients of its service are minors, for example because it already processes the personal data of recipients of its service that reveal their age for other purposes.” However, the DSA “does not oblige providers of online platforms to process additional personal data in order to assess whether the recipient of the service is a minor” in compliance with the GDPR’s principle of minimization (Art. 28(4), DSA). 

In terms of transparency, the DSA stipulates that “providers of intermediary services that are primarily directed at minors (…or which are used predominantly by minors), should make particular efforts to render the explanation of their terms and conditions easily understandable to minors” reinforcing what Article 12 of the GDPR provides in this regard [Recital (46), DSA].

Risk mitigation measures for children’s rights include “age verification and parental control tools, tools aimed at helping minors signal abuse or obtain support, as appropriate” to complement Article 32 of the GDPR [Article 35(1)(j), DSA].