How the Digital Omnibus Proposes to Change the GDPR
This blog was originally posted on 1st December, 2025. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.
AUTHORED BY ANI NOZADZE, SENIOR REGULATORY COMPLIANCE SPECIALIST AND TEAM LEAD, COMPLIANCE & RISKS
Digital Omnibus Packages
On 19 November 2025, the EU Commission presented a package of proposed amendments which includes changes to the EU General Data Protection Regulation (GDPR), the ePrivacy Directive, the Data Act and other digital laws (Digital Omnibus). This blog explores the changes proposed to the GDPR.
On the same date, there was a separate package proposed with the amendments to the EU AI Act (Digital Omnibus on AI), which will be addressed in a separate blog post in the coming days.
Clarification in the Definition of “Personal Data”
The definition of “personal data” in the GDPR is proposed to be amended to state that the fact that a different entity may be capable of identifying a data subject, does not necessarily mean that data is personal for the current entity. Below is the current text and the proposed addition to Article 4(1).
| Current text | Proposed text |
| “Article 4 Definitions […] (1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” | “Article 4 Definitions […] (1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Information relating to a natural person is not necessarily personal data for every other person or entity, merely because another entity can identify that natural person. Information shall not be personal for a given entity where that entity cannot identify the natural person to whom the information relates, taking into account the means reasonably likely to be used by that entity. Such information does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to be used to identify the natural person to whom the information relates.” |
While this proposed change was welcomed by many in the industry, various questions arise in terms of the necessity of putting relevant safeguards in place when such data is shared with other entities. Below is the comparison of the current text and the proposal.
Further Additions to the Definitions
Definitions of “terminal equipment”, “electronic communications networks”, “web browser”, “media service”, “media service provider”, “online interface” and “scientific research” are added. The latter is particularly important as the proposed changes to Article 5(1)(b) include a reference to scientific research, among others (see next point).
| Current text | Proposed text |
| “Article 4 Definitions” No definition of “scientific research” | “Article 4 Definitions […] (38) “scientific research” means any research which can also support innovation, such as technological development and demonstration. These actions shall contribute to existing scientific knowledge or apply existing knowledge in novel ways, be carried out with the aim of contributing to the growth of society´s general knowledge and wellbeing and adhere to ethical standards in the relevant research area. This does not exclude that the research may also aim to further a commercial interest.” |
Subsequent Data Processing for Scientific Research Purposes, etc.
Proposed changes to Article 5(1)(b) make further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes presumed to be compatible with initial purposes, as long as the conditions of Article 89(1) are met (anonymisation or pseudonymisation where possible); and there won’t be the need to consider the conditions set out in Article 6(4) for compatible processing.
| Current text | Proposed text |
| “Article 5 Principles relating to processing of personal data […] 1. Personal data shall be: […] (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); | “Article 5 Principles relating to processing of personal data […] 1. Personal data shall be: […] (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), be considered to be compatible with the initial purposes, independent of the conditions of Article 6(4) of this Regulation, (‘purpose limitation’);” |
Processing of Special Categories of Personal Data
The Digital Omnibus adds two derogations to Article 9 in order to allow processing of special categories of personal data (“data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”). These two additions to Article 9(2) are illustrated below:
| Current text | Proposed text |
| “Article 9 Processing of special categories of personal data […] 2. Paragraph 1 shall not apply if one of the following applies:” Currently only 10 subparagraphs (a-j) | “Article 9 Processing of special categories of personal data […] 2. Paragraph 1 shall not apply if one of the following applies: […] (k) processing in the context of the development and operation of an AI system as defined in Article 3, point (1), of Regulation (EU) 2024/1689 or an AI model, subject to the conditions referred to in paragraph 5. (l) processing of biometric data is necessary for the purpose of confirming the identity of a data subject (verification), where the biometric data or the means needed for the verification is under the sole control of the data subject.” |
Furthermore, a new paragraph is added to Article 9 to state that entities may process personal data for model training as a legitimate interest.
| Current text | Proposed text |
| “Article 9 Processing of special categories of personal data” Currently only 4 paragraphs. | “Article 9 Processing of special categories of personal data […] 5. For processing referred to in point (k) of paragraph 2, appropriate organisational and technical measures shall be implemented to avoid v the collection and otherwise processing of special categories of personal data. Where, despite the implementation of such measures, the controller identifies special categories of personal data in the datasets used for training, testing or validation or in the AI system or AI model, the controller shall remove such data. If removal of those data requires disproportionate effort, the controller shall in any event effectively protect without undue delay such data from being used to produce outputs, from being disclosed or otherwise made available to third parties.” [sic] |
Abusive Data Subject Access Requests
The proposal allows the controller to reject the data subject access request or charge a reasonable fee for handling it if the data subject is submitting the request for purposes other than protecting their personal data. The controller still bears the burden of demonstrating that the request is manifestly unfounded or excessive.
| Current text | Proposed text |
| “Article 12 Transparent information, communication and modalities for the exercise of the rights of the data subject […] 5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: (a) Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) Refuse to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.” | “Article 12 Transparent information, communication and modalities for the exercise of the rights of the data subject […] 5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character or also, for requests under Article 15 because the data subject abuses the rights conferred by this regulation for purposes other than the protection of their data, the controller may either: (a) Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) Refuse to act on the request. The controller shall bear the burden of demonstrating that the request is manifestly unfounded or that there are reasonable grounds to believe that it is excessive.” |
Relaxed Transparency Requirements
Changes to Article 13(4) ease the transparency requirements when data is collected directly from data subjects or processing is carried out for scientific research purposes. Below are the proposed changes:
| Current text | Proposed text |
| “Article 13 Information to be provided where personal data are collected from the data subject […] 4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.” | “Article 13 Information to be provided where personal data are collected from the data subject […] 4. Paragraphs 1, 2 and 3 shall not apply where the personal data have been collected in the context of a clear and circumscribed relationship between data subjects and a controller exercising an activity that is not data-intensive and there are reasonable grounds to assume that the data subject already has the information referred to in points (a) and (c) of paragraph 1, unless the controller transmits the data to other recipients or categories of recipients, transfers the data to a third country, carries out automated decision-making, including profiling, referred to in Article 22(1), or the processing is likely to result in a high risk to the rights and freedoms of data subjects within the meaning of Article 35. 5. When the processing takes place for scientific research purposes and the provision of information referred to under paragraphs 1, 2 and 3 proves impossible or would involve a disproportionate effort subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing, the controller does not need to provide the information referred to under paragraphs 1, 2 and 3. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.” |
Slight Modifications to the Rules for Automated Individual Decision-Making
Proposed changes under the Digital Omnibus package include slight modifications to Article 22 as set out below:
| Current text | Proposed text |
| “Article 22 Automated individual decision-making, including profiling 1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. 2. Paragraph 1 shall not apply if the decision: (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller; (b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or (c) is based on the data subject’s explicit consent.” | “Article 22 Automated individual decision-making, including profiling 1. A decision which produces legal effects for a data subject or similarly significantly affects him or her may be based solely on automated processing, including profiling, only where that decision: (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller regardless of whether the decision could be taken otherwise than by solely automated means; (b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or (c) is based on the data subject’s explicit consent.” |
Data Breach Reporting Portal
The proposal aims to establish a common portal for reporting all incidents under the GDPR, Network and Information Security Directive (NIS2), Digital Operations Resilience Act (DORA) and the Critical Entities Resilience Directive (CER). The reporting threshold is proposed to be raised (only personal data breaches that are likely to result in a high risk to the rights and freedoms of natural persons) and the maximum period for reporting would be extended from the current 72 to 96 hours. The European Data Protection Board (EDPB) will draft a proposed common template for notifying these breaches. It will also draft a list of circumstances when the breach is likely to result in a high risk. The template and the list are proposed to be reviewed at least every three years. (Proposed changes to Article 33 of the GDPR).
Data Protection Impact Assessments
The proposal also requires the EDPB to prepare a list of processing operations that are subject to the data protection impact assessment (DPIA) requirement, as well as the operations for which DPIA is not required. Currently, this is done by the Member States’ supervisory authorities, thus this proposed change will bring more consistency.
The Board is also tasked to prepare a proposal for a common template and a common methodology for conducting DPIAs. (Proposed changes to Article 35 of the GDPR).
New Provision Relating to Pseudonymisation
A new Article 41a would state that the EU Commission “may adopt implementing acts to specify means and criteria to determine whether data resulting from pseudonymisation no longer constitutes personal data for certain entities”.
Cookies / Online Tracking
The Digital Omnibus draft tries to address the challenges around cookie banners and recurring consent requests in this regard (“conosent fatigue”). The EU Commission proposes a new Article 88a into the GDPR that sets out consent requirements for storing and accessing personal data on the terminal equipment of data subjects (currently under ePrivacy Directive).
Users are to be given the ability to refuse non-essential cookies with a single click (or equivalent means). Importantly, if a request for consent is declined, a new request for consent for the same purpose may only be made after at least 6 months.
A new Article 88b proposes automated and machine-readable indications of individual choices with respect to processing of personal data in the terminal equipment. Controllers are required to ensure that their online interfaces allow consent or rejection through automated and machine-readable means. This does not apply to media service providers when providing a media service. Standards will be developed for the interpretation of machine-readable indications of individuals’ choices.
Processing Personal Data for AI Training Purposes
Another new provision proposed to be added to the GDPR is Article 88c which would state that processing personal data for AI model training is a legitimate interest under Article 6(1)(f) of the GDPR, except when the EU or Member State laws explicitly require consent, and when legitimate interests are overridden by the interests or fundamental rights and freedoms of individuals (especially in case of children).
Timelines
The Digital Omnibus draft will now be examined by the European Parliament and the Council. Under the ordinary legislative procedure, adoption could be expected sometime in mid-to-late 2026. However, there is a possibility of the Parliament applying its urgent procedure which could accelerate adoption. Conversely, if negotiations between the Parliament and the Council prove difficult, the adoption of the Digital Omnibus package(s) would be delayed.
Compliance & Risks will closely monitor the Digital Omnibus, as well as the Digital Omnibus on AI, and provide updates on further developments.
For other proposed changes to the GDPR, introduced in May 2025, please see this blog post ‘GDPR Simplification: Exemptions Expanded for Smaller Businesses‘
Stay Ahead Of Regulatory Changes
Want to stay ahead of these regulatory developments?
Accelerate your ability to achieve, maintain & expand market access for all products in global markets with C2P – your key to unlocking market access, trusted by more than 300 of the world’s leading brands.
C2P is an enterprise SaaS platform providing everything you need in one place to achieve your business objectives by proving compliance in over 195 countries.
C2P is purpose-built to be tailored to your specific needs with comprehensive capabilities that enable enterprise-wide management of regulations, standards, requirements and evidence.
Add-on packages help accelerate market access through use-case-specific solutions, global regulatory content, a global team of subject matter experts and professional services.
- Accelerate time-to-market for products
- Reduce non-compliance risks that impact your ability to meet business goals and cause reputational damage
- Enable business continuity by digitizing your compliance process and building corporate memory
- Improve efficiency and enable your team to focus on business critical initiatives rather than manual tasks
- Save time with access to Compliance & Risks’ extensive Knowledge Partner network
Cutting Through the Chaos: A 2025-2026 Survival Guide to ESG, Sustainability & Product Compliance
Unpack the latest regulatory developments in 2025, gain practical insights, and learn what’s coming next in 2026!
Whether you’re grappling with deadlines or planning for future compliance, join us for a roadmap to navigate the challenges and opportunities ahead.
