The European Data Protection Board (EDPB) and the European Commission have opened a public consultation on their Joint Guidelines addressing how the Digital Markets Act (DMA) interacts with the General Data Protection Regulation (GDPR). The draft aims to clarify how gatekeeper obligations under the DMA align with core GDPR principles, including legal bases, consent, data minimization, anonymization, and purpose limitation. It also outlines coordination needs between competition and data protection authorities to ensure consistent enforcement without undermining data protection rights.
A central theme is the proper use of legal bases when gatekeepers process personal data to comply with DMA duties, such as interoperability, data access and portability, and restrictions on combining data across services. The guidelines caution against relying on contract or legitimate interest where the processing materially affects users’ rights or involves profiling across services, stressing that consent must be freely given, specific, informed, and granular. They also set expectations for true anonymization (i.e., irreversibility) and reiterate that pseudonymized data remains personal data. For consent obtained under DMA-related scenarios, the guidelines emphasize anti-dark-pattern design, no bundling, and equal service for non-consent where feasible.
Institutional cooperation is another focus: the guidelines encourage structured information-sharing and case coordination between competition and data protection authorities, while respecting each authority’s mandate. They propose mechanisms to avoid conflicting interpretations, streamline investigations, and align remedies where DMA and GDPR issues overlap. Stakeholders are invited to submit comments by 4 December 2025 via the EDPB website, which hosts the consultation materials and the Specific Privacy Statement detailing legal information.
Key takeaways:
- Public consultation open until 4 December 2025; submissions via the EDPB website.
- The draft clarifies how DMA gatekeeper duties align with GDPR principles.
- Legal basis selection must reflect impacts on users; consent must be valid, unbundled, and free of dark patterns.
- Combining data across services generally requires valid consent; legitimate interest is limited in high-risk contexts.
- Anonymization must be irreversible; pseudonymized data is still personal data under GDPR.
- Purpose limitation and data minimization apply to DMA-driven processing.
- Interoperability and data access obligations must be implemented with privacy-by-design.
- Coordination mechanisms between competition and data protection authorities are encouraged to avoid inconsistent outcomes.
- Remedies should be consistent across DMA and GDPR enforcement.
- The SPS provides all legal details for the consultation process.
