DSA Terms and Conditions Requirements
This new topic is needed to specifically address the requirements for terms and conditions documents under the DSA, including transparency, accessibility, and mandatory content requirements for digital service providers.
terms and conditions general terms service terms user terms terms of service DSA terms requirements service provider terms platform terms
Overview
Legal Framework
The requirements for terms and conditions are primarily governed by Article 14 of the Digital Services Act (DSA). The law mandates that providers of intermediary services must draft their terms and conditions in a clear, plain, intelligible, and unambiguous manner, and make them publicly available in an easily accessible format. Recital 39 clarifies that this information must comprehensively detail the available redress mechanisms, including internal complaint-handling systems, out-of-court dispute settlement, and judicial remedies. Furthermore, Recital 26 establishes a critical principle: terms must not discourage providers from undertaking voluntary good-faith actions against illegal content by threatening the loss of liability exemptions.
Practical Application
The DSA’s transparency requirements demand that terms go beyond a pro-forma legal document. They must function as a genuinely usable guide for recipients of the service. This includes providing clear, specific information on content moderation policies, the justification for restrictions, and the procedural steps for appealing decisions. The requirement for accessibility, informed by principles from case law like Egan & Hackett, means terms cannot be buried or presented in a way that systematically hinders a user's ability to find and understand them. In practice, providers must structure their terms to allow users to easily locate key sections on acceptable use, enforcement actions, and complaint procedures.
Key Considerations
- Structure for Usability: Organize terms with clear headings, a table of contents, or a search function. Key sections on content moderation, account suspension, and complaint procedures should be prominently accessible, not hidden in dense legal prose.
- Integrate Good-Faith Protections: Explicitly state that the provider’s voluntary actions to detect and remove illegal content, undertaken diligently and in good faith, will not lead to a general loss of liability protections under the DSA, as per Recital 26.
- Detail Redress Pathways: Clearly map out all available redress options, including internal complaint forms, certified out-of-court dispute settlement bodies, and the possibility of judicial appeal, specifying relevant timelines and contact points.
Laws (34)
View all 34Case Law (1)
Guidance (19)
Version history
Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR
Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679
Guidelines on codes of conduct and monitoring bodies
Guidelines 05/2020 on consent under Regulation 2016/679
Guidelines on consent
Guidelines 01/2022 on data subject rights - Right of access
Guidelines on data subject rights - Right of access
The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.
Richtsnoeren 06/2020 inzake de wisselwerking tussen de tweede richtlijn betalingsdiensten en de AVG
guidelines wisselwerking toepassing artikel 3 en hoofdstuk V AVG
Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognise and avoid them
Guidelines on deceptive design patterns in social media platform interfaces: how to recognise and avoid them
These Guidelines offer practical recommendations to social media providers as controllers of social media, designers and users of social media platforms on how to assess and avoid so-called 'deceptive design patterns' in social media interfaces that infringe on GDPR requirements. To this end, the EDPB recommends that controllers make use of interdisciplinary teams, consisting, among others, of designers, data protection officers and decision-makers. It is important to note ...
Guidelines 9/2022 on personal data breach notification under GDPR
Guidelines on personal data breach notification under GDPR
Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Guidelines on the concepts of controller and processor in the GDPR
The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA). The conc...
Guidelines 8/2020 on the targeting of social media users
Guidelines on the targeting of social media users
Richtsnoeren 02/2021 inzake virtuele spraakassistenten
guidelines over virtuele spraakassistenten
Een virtuele spraakassistent ( virtual voice assistant , of VVA) betreft een dienst die spraakgestuurde opdrachten begrijpt en uitvoert, of indien nodig als tussenschakel optreedt naar andere IT-systemen. Tegenwoordig is een VVA als optie beschikbaar op de meeste smartphones, tablets en reguliere computers en sinds enkele jaren zelfs op losse apparaten zoals smartspeakers. Een VVA functioneert als schakel tussen de gebruiker en zijn apparaat of een online dienst zoals een zoekmachine...
Versiegeschiedenis
guidelines uitvoeren overeenkomst
Richtsnoeren 03/2021 voor de toepassing van artikel 65, lid 1, punt a), AVG
guidelines voor de toepassing van artikel 60 AVG
ARTICLE 29 DATA PROTECTION WORKING PARTY
Guidelines on transparency
Guidelines 02/2021 on virtual voice assistants
Guidelines on virtual voice assistants
A virtual voice assistant (VVA) is a service that understands voice commands and executes them or mediates with other IT systems if needed. VVAs are currently available on most smartphones and tablets, traditional computers, and, in the latest years, even standalone devices like smart speakers. VVAs act as interface between users and their computing devices and online services such as search engines or online shops. Due to their role, VVAs have access to a huge amount of personal...
Richtsnoeren 2/2018 inzake afwijkingen op grond van artikel 49 van Verordening 2016/679
guidelines afwijkingen van artikel 49
Richtsnoeren 1/2019 voor gedragscodes en toezichthoudende organen in de zin van Verordening 2016/679
guidelines gedragscodes en toezichthoudende organen
Richtsnoeren 01/2022 over de rechten van betrokkenen Recht van inzage
guidelines recht op inzage
Het recht van inzage van betrokkenen is vastgelegd in artikel 8 van het Handvest van de grondrechten van de Europese Unie. Het maakt al sinds het begin deel uit van het Europese wettelijke kader voor gegevensbescherming en wordt nu verder ontwikkeld met specifiekere, preciezere regels in artikel 15 AVG.
Richtsnoeren 05/2020 inzake toestemming overeenkomstig Verordening 2016/679
guidelines toestemming
News (10)
Rent-Only Copyright Culture Makes Us All Worse Off
We're taking part in Copyright Week, a series of actions and discussions supporting key principles that should guide copyright policy. Every day this week, various groups are taking on different elements of copyright law and policy, and addressing what's at stake, and what we need to do to make sure that copyright promotes creativity and innovation. In the Netflix/Spotify/Amazon era, many of us access copyrighted works purely in digital form – and that means we rarely have the chance t
Legacy Switches: A Proposal to Protect Privacy, Security, Competition, and the Environment from the Internet of Things
Georgetown University Law Center researchers propose that every IoT device manufacturer build a switch into their devices that disables any smart feature that contributes to security or privacy risks. This will render a smart thermostat just a thermostat and a smart doorbell just a doorbell, and will disable microphones, sensors, and wireless connectivity. Any user should find it easy to use and easy to verify whether the switch has been toggled.
Meta to change UK terms of service, maintain data flows
> Meta plans to change its terms of service and privacy notices for U.K. users, Bloomberg reports. U.K. Facebook, Instagram and WhatsApp users will retain data rights under the U.K. General Data Protection Regulation while the company moves user data out of the EU General Data Protection Regulation's jurisdiction. A Meta spokesperson said the updates, which were planned following the U.K.'s 2020 Brexit agreement, "don't change the way we treat UK users’ data." The move als
An analysis of Dutch case law: what factors play a role in awarding (or not) and determining the extent of damages under the GDPR?
Since May 2018, the GDPR has been directly applicable in the European Economic Area, including the member states of the European Union, Liechtenstein, Norway, and Iceland. Four years later, awarding damages for GDPR violations is still not a common practice in the Netherlands, despite the fact that news reports regularly mention data breaches and other GDPR violations. This article analyzes Dutch case law over the past four years to see what factors may influence the awarding of damages under th
Quod erat demonstrandum? - Towards a typology of the concept of explanation for the design of explainable AI
> * We propose a framework for defining different types of explanations of AI systems. > * We contextualize current XAI discourses within the proposed framework. > * We highlight two broad perspectives for defining quality criteria for explainability. > * We discuss the relevance of our framework in light of current and upcoming AI regulation.
UK data protection reform: How the UK's GDPR may change
> The current version of the Bill seeks to maintain the majority of key principles that underpin the UK data protection law framework, while at the same time modifying certain key provisions in relation to accountability, lawful grounds for processing, data subject access requests and cookies, amongst others. A [consolidated redline version of the UK GDPR by Hogan Lovells](https://www.engage.hoganlovells.com/knowledgeservices/attachment_dw.action?attkey=FRbANEucS95NMLRN47z%2BeeOgEFCt8EGQJsWJiCH
Regulating the Risks of AI
> This Article observes that constructing AI harms as risks is a choice with consequences. Risk regulation comes with its own policy baggage: a set of tools and troubles that have emerged in other fields. Moreover, there are at least four models for risk regulation, each with divergent goals and methods. Emerging conflicts over AI risk regulation illustrate the tensions that emerge when regulators employ one model of risk regulation, while stakeholders call for another.
Who Is Collecting Data from Your Car?Who Is Collecting Data from Your Car?
> A firehose of sensitive data from your vehicle is flowing to a group of companies you’ve probably never heard of
European Commission sued for violating transfer rules by using Amazon Web Services
The European Commission faces a lawsuit over allegations it is violating its own data protection rules by transferring citizens’ personal data on one of its websites to Amazon Web Services in the United States.
EU-Hof: consumentenbeschermings-verenigingen mogen representatieve vorderingen instellen tegen inbreuken op de bescherming van persoonsgegevens
An association representing consumer interests may bring a representative action against the alleged perpetrator of a personal data breach. A specific breach of a data subject's right to the protection of his or her personal data is not required to bring such a claim. In addition, such a claim can be brought independently of whether a data subject has given an order to do so. This is the EU Court's answer to questions from a German court.