Commission Decision on the processing of personal data for the purpose of supervision, investigation, enforcement and monitoring under the DSA

IRIS 2025-4:1/4

Amélie Lacourt

European Audiovisual Observatory

On 31 March 2025, the European Commission adopted Decision (EU) 2025/628, establishing internal rules for the European Commission’s handling of personal data during supervisory, investigative, enforcement and monitoring activities under the Digital Services Act (DSA). The decision aims to provide a balance between effective regulatory enforcement and individual data protection rights. It addresses in particular the rules to be followed by the Commission to inform data subjects of the processing of their personal data (Article 4), as well as the restriction of certain rights of data subjects (Article 3), under the General Data Protection Regulation (GDPR).

The scope of the decision is set out in Article 2. The decision applies to personal data processing involving various categories of individuals, including suspects, victims, whistleblowers, informants, witnesses, staff of a business undertaking and natural persons whose personal data is contained in the documents or other media collected as part of supervision, investigation, enforcement and monitoring pursuant to the DSA. The categories of personal data include identification data, contact details, case involvement data and case-related data.

As outlined in Article 3, the decision also permits restrictions on data subjects’ rights, in particular regarding the right of access and the right to the rectification, erasure and communication of personal data breaches, if the exercise of these rights would:

- jeopardise the Commission’s supervisory, investigative, enforcement, and monitoring activities;

- adversely affect the protection of the data subject or the rights or freedoms of others;

- jeopardise the Commission’s cooperation with member states.

When the conditions for restrictions no longer apply, the Commission must lift them and inform the affected individuals of the breach and about their rights (the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy in the Court of Justice of the European Union) and reasons for previous restrictions (Article 8).

Restrictions must respect fundamental rights and freedoms laid down by the Charter of Fundamental Rights of the European Union. Restrictions must be necessary, proportionate and justified on a case-by-case basis. The Commission must therefore document its reasoning for imposing restrictions and periodically review their necessity. Periodic reports are also required under Article 7 to ensure transparency and accountability.

Safeguards to prevent abuse and unlawful access to or transfer of personal data are established in Article 9.  They include technical and organisational measures such as:

- a clear definition of roles, responsibilities, procedural steps and access rights;

- a secure electronic environment;

- thesecure storage and processing of paper documents;

- due monitoring of restrictions and a periodic review of their application.

The decision will take effect on 21 April 2025.