Europe’s Digital Rulebook Gets Its First Tune-Up as EU Aligns DMA & GDPR

Key Takeaways

• First Joint Guidance: The European Data Protection Board (EDPB) and the European Commission issued their first-ever joint guidelines clarifying how the Digital Markets Act (DMA) aligns with the General Data Protection Regulation (GDPR).
• Complementary Frameworks: The guidance confirms the DMA and GDPR pursue different but compatible goals, fairness and contestability for digital markets under the DMA, and data protection and privacy under the GDPR.
• Compliance Clarity for Gatekeepers: The guidelines explain how large platforms must handle consent, data sharing, portability, and interoperability in line with both regulations.
• Regulatory Coordination: The EDPB and Commission emphasized closer cooperation between competition and data protection authorities to ensure consistent enforcement.

Deep Dive

The European Data Protection Board (EDPB) and the European Commission have issued their first-ever joint guidelines, clarifying how the Digital Markets Act (DMA) interacts with the General Data Protection Regulation (GDPR). The document aims to provide legal certainty and consistency for companies subject to both frameworks, particularly large online platforms designated as “gatekeepers.”

The guidelines (the first of their kind jointly prepared by the two authorities) seek to ensure the DMA and GDPR are applied in a complementary and coherent way. They form part of the EDPB’s 2024–2027 Strategy and align with the Helsinki Statement’s goal of simplifying compliance and strengthening regulatory consistency across the EU.

“These joint guidelines are the result of a fruitful cooperation between the EDPB and the European Commission,” said EDPB Chair Anu Talus. “This approach simplifies compliance for businesses and brings enhanced legal certainty to them.”

Clarifying Overlaps Between Two Pillars of EU Digital Law

Both the DMA and GDPR aim to protect individuals in the digital environment but address different challenges: the GDPR safeguards personal data and privacy, while the DMA promotes fair and competitive digital markets. The EDPB and Commission said the two frameworks are “complementary in terms of goals and protections,” and that the new guidelines would help ensure consistent interpretation.

Several DMA provisions explicitly reference GDPR definitions and concepts. The new guidelines clarify how gatekeepers, large platforms such as online search engines, app stores, and messaging services, should meet data protection requirements when fulfilling DMA obligations.

Among the areas covered:

• Consent and data use: Gatekeepers must ensure valid user consent under both the DMA and GDPR before combining or cross-using personal data across core platform services.
• Third-party apps and stores: Measures taken to comply with Article 6(4) DMA on third-party software must also meet GDPR and ePrivacy standards.
• Data portability and access: The guidelines explain how DMA rights under Articles 6(9) and 6(10) align with GDPR rules on data transfers and access, including safeguards for cross-border sharing.
• Search data and anonymization: Under Article 6(11), gatekeepers must anonymize search data shared with third-party search engines to preserve privacy.
• Interoperability of messaging services: Article 7 requires compliance with data minimization and security principles when enabling cross-platform communication.

The document also outlines how the Commission and national data protection authorities should coordinate their enforcement activities to avoid overlap, referencing CJEU case law on cooperation and the ne bis in idem principle.

Consultation Open Until December

The draft guidelines are now open for public consultation until December 4, 2025, giving stakeholders the opportunity to comment before final adoption. All submissions will be published on the DMA website, with the final version jointly prepared by the EDPB and Commission after the consultation period.

The EDPB confirmed that further joint work is planned to clarify interactions between other digital regulations. In particular, it is collaborating with the Commission’s AI Office on forthcoming guidelines addressing the relationship between the AI Act and EU data protection law.

The guidelines are the latest example of how Brussels is attempting to harmonize its growing network of digital laws. For companies caught between overlapping compliance regimes, the EDPB said the goal is to provide clearer expectations and avoid conflicting obligations, a signal that Europe’s regulators are increasingly coordinating their approach to data, privacy, and platform oversight.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.