Digital media sits across two EU regimes simultaneously: GDPR for subscriber and audience data, DSA for comments and moderated content. We file the Art. 27 representative, operate the Art. 16 notice endpoint, host the DSR inbox, and provide the public trust page your newsroom links to when readers ask what happens with their data. Your CMP of choice — Cookiebot, Usercentrics, OneTrust — sits alongside; we integrate rather than replace it.
Digital media sits at the intersection of three distinct regimes — each with its own supervisory authority, enforcement appetite, and typical complaint pattern. We operate all three from one desk.
Every non-strictly-necessary tracker needs prior, informed, specific consent. You run this through a dedicated CMP; we sit alongside, not on top.
Subscriber accounts, newsletter lists, payment data, behavioural profiles — all personal data with processing purposes and retention limits.
If your site hosts user comments, reader submissions, forum threads, or user-generated contributions — the DSA's hosting-services duties apply.
Every reader interaction that touches privacy — a DSR, a comment dispute, a notice to your newsroom, a DPA inbound — runs through the same pipeline. Each stage is an artefact we operate.
Via the hosted privacy page: access, erasure, portability, objection, rectification. Auto-routed to the right internal team with our 30-day deadline timer attached.
We verify the requester, scope the data pull to the right subscriber record, and flag any special-category concerns (journalistic sources, minors, sensitive subjects).
Data package, erasure confirmation, or reasoned denial — drafted in the reader's language, signed by the controller, delivered through the hosted portal.
When it happens (and on a newsroom audience, it will), the DPA writes to our Art. 27 address. Our counsel answers in your name with the full evidence trail.
Single export: DSR timeline, response artefact, sub-processor register, incident log, transparency report. Answer time: minutes, not weeks.
Publisher DSR volume is real. Subscription-facing newsrooms see 10–100x the DSR volume of a typical SaaS — audiences are larger, regulatory awareness is higher, and a meaningful slice of readers are journalists who know the rules. The hosted inbox is built to scale through that.
Your editorial team stays out of it. We handle the intake, verification, and response drafting. Your editorial leadership gets involved only on the hard cases — a journalistic-source request, a reader trying to unpublish a correction they objected to, a high-profile right-to-be-forgotten claim.
The complaint wall. When a reader complains to a DPA, we get the first call. With the signed DSR log and the incident register, our counsel answers in your name. Most complaints close at first-response; a few escalate; we carry them.
Privacy Center and GDPR Rep are the two that apply to every EU-facing publisher. DSA Rep turns on the moment your site accepts comments. DPO becomes mandatory at subscriber scale.
Hosted trust hub · DSR inbox · versioned policies · sub-processor registry · incident log.
Art. 27 rep · DPA correspondence · ROPA builder · UK GDPR add-on for cross-market publishers.
Art. 13 rep · Art. 16 notice endpoint · Statement-of-Reasons filings · Art. 15 transparency.
Required at large-scale systematic monitoring — which most EU-facing publishers cross on reader count alone.
If your feed, homepage, or push notifications use an AI recommender — Art. 22 obligations kick in.
Some large publishers host other media's content (syndication). NIS 2 can apply — we'll check on the call.
Not yet. Consent is on our roadmap but isn't live today. Most publishers we work with run a dedicated CMP — Cookiebot, Usercentrics, OneTrust — and we sit alongside it. We draft the cookie policy and tracker disclosures; the CMP runs the banner and logs consent; our Privacy Center hosts the hub the banner links to. If the current banner has legal exposure (accept-all-only designs are now flagged by CNIL, Garante, and others), we'll say so on the discovery call and recommend a CMP that fixes it.
The editorial content doesn't trigger DSA hosting duties — a journalist's article isn't user-generated content. But almost every news site accepts reader comments, letters to the editor, or forum submissions. That is hosting content at the direction of third parties, and the Art. 13 / Art. 16 / Art. 17 duties apply to those sections of the site.
IAB Europe's Transparency & Consent Framework v2.2 is the ad-tech industry's shared consent-string standard. It's not legally required — it's an industry convention — but practically, if you want your ad inventory to work across SSPs and DSPs, your CMP needs to emit a valid TCF string. We don't run the CMP ourselves today; the major providers (Cookiebot, Usercentrics, OneTrust, Didomi) all emit valid TCF 2.2, and we integrate with them.
A newsletter alone rarely triggers the Art. 37 mandatory-DPO thresholds. A subscription publisher with tens of thousands of paying subscribers usually does — "large-scale systematic monitoring" includes behavioural profiling of audience engagement. If your buyers (or your legal exposure) ask, having one is usually cheaper than arguing about whether you need one.
You're still in scope for ePrivacy and GDPR — every reader / listener is personal data. DSA obligations mostly don't apply unless you host third-party submissions. Many streamers run with just Privacy Center + GDPR Rep; if you add commenting, playlists, or user uploads, DSA turns on.
AI-generated content adds transparency obligations (Art. 50 of the AI Act — "this content was generated or altered with AI"). A personalisation engine that materially steers what readers see can hit the AI Act as a "limited-risk" system, which means disclosing that AI is at work. Our AI Act rep product covers both.
30-minute discovery call. We'll audit your DSR volume, comment footprint, CMP setup, and AI usage — and scope the publisher stack in writing.