The labyrinth of EU digital regulations for multinational clients continues to grow and we continue to help business owners and law firms automate their GDPR and data privacy requirements. We have long anticipated a unified interpretive framework for the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). The endorsement of joint guidelines by the European Data Protection Board (EDPB) and the European Commission on October 9, 2025, in Brussels, represents a watershed moment in this regard. For the first time, these bodies have collaborated on such guidance, signaling a strategic pivot toward streamlined compliance amid the DMA’s March 2024 enforcement dawn. These draft guidelines, now open for public consultation until December 4, 2025, dissect the symbiotic yet distinct roles of the DMA geared toward market contestability and the GDPR focused on individual data rights offering gatekeepers, business users, and end users actionable clarity on overlapping obligations. In my practice, this document is a beacon for designing privacy-by-default architectures that propel innovation without inviting dual fines up to 10% of global turnover.
Background: The Complementary Mandates of DMA and GDPR
The DMA, effective since November 2022 and fully applicable from March 7, 2024, targets “gatekeepers” six designated behemoths like Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft providing core platform services (CPS) such as search engines, social networks, and app stores. Its telos is to curb gatekeeper dominance, fostering fairer digital markets through obligations like data sharing and interoperability, with the Commission wielding sole enforcement powers and steep penalties. Conversely, the GDPR, operational since 2018, universally safeguards natural persons’ data rights via principles like minimization and accountability, enforced decentrally by supervisory authorities with EDPB oversight.
While DMA Recital 12 explicitly defers to GDPR for data protection, overlaps abound: DMA-mandated processings (e.g., portability under Article 6(9)) often entail personal data, necessitating GDPR-compliant execution. The guidelines, rooted in Article 47 DMA and Article 70(1)(e) GDPR, underscore complementarity—DMA enhances contestability, indirectly bolstering GDPR freedoms by curbing data lock-in—while invoking sincere cooperation (Article 4(3) TEU) and ne bis in idem to avert double jeopardy. Definitions align: “end user” encompasses consumers using CPS; “business user” denotes commercial actors; “personal data” mirrors GDPR Article 4(1). This foundational synergy ensures DMA measures select the least restrictive GDPR paths, preserving both market vitality and privacy integrity.
The Endorsement Milestone and Collaborative Genesis
Endorsed in Brussels on October 9, 2025, these guidelines emerge from EDPB-Commission synergy, aligning with the EDPB’s 2024-2027 Strategy for consistent GDPR application and the Helsinki Statement’s call for enhanced clarity. EDPB Chair Anu Talus hailed the effort: “This is the first time that the EDPB and the European Commission prepare guidelines jointly. This approach maximises usefulness of the guidance by simplifying compliance for businesses and bringing enhanced legal certainty to them.” Structured across eight sections, the document—spanning executive summary, preambles, and targeted analyses—prioritizes user-centric designs, data minimization, and accountability, drawing on CJEU jurisprudence for robust interpretation.
The public consultation, launched concurrently, invites stakeholder input via the DMA website, with submissions published post-December 4, 2025, minus confidential data. This iterative process, culminating in a finalized text, exemplifies participatory governance, allowing tech firms and advocates to refine nuances like consent granularity.
DMA-GDPR Touchpoints
The guidelines meticulously unpack intersections, emphasizing GDPR’s primacy (DMA Article 8(1)) without exhaustive coverage. Below, I dissect pivotal areas, enriched by practical exemplars from my advisory lens.
End-User Choice and Consent: Navigating Article 5(2) DMA
Article 5(2) DMA prohibits gatekeepers from processing end-user data for advertising (point (a)), combining across CPS/services/third parties (point (b)), cross-using between services (point (c)), or sign-in-based combination (point (d)) absent specific choice and GDPR-valid consent (Articles 4(11), 7 GDPR). Consent must be freely given, granular (e.g., separate for personalization versus ads), informed via clear notices, and easily withdrawable—explicit for special categories (Article 9(2)(a)). No pre-ticked boxes or nudging; interfaces neutral, with single flows for akin purposes and no repeats within 12 months.
Exemptions abound: Cross-use in “interconnected services” (e.g., payment data supporting e-commerce CPS) may rely on Article 6(1)(b)/(f) GDPR (contractual necessity or balanced legitimate interests), barring ad personalization. Legal obligations (Article 6(1)(c)) cover fraud detection; vital interests (6(1)(d)) rare. Profiling for ads eschews special categories (DSA Article 26(3); Political Advertising Regulation Article 18(1)(c)). Example: A social network gatekeeper cannot merge third-party app data for ads sans consent via dedicated interfaces; search queries cross-used for engine display may invoke legitimate interests if ancillary.
Power imbalances invalidate coerced consents; gatekeepers must offer “less personalised equivalent services” without degradation, fostering true choice. In audits, I stress DPIAs (Article 35 GDPR) for these high-risk processings, mitigating consent fatigue via quarterly reminders or digests.
Software Distribution and Integrity: Article 6(4) DMA
Gatekeepers must enable third-party app/store distribution on CPS (e.g., iOS sideloading) while safeguarding device integrity/confidentiality (Article 6(4)). GDPR mandates access controls, encryption, and breach notifications; gatekeepers cannot dictate beneficiaries’ processing as independent controllers. Measures like sandboxing APIs ensure security without overreach. Example: Apple permitting Epic’s app store requires granular permissions, but Epic handles its GDPR compliance autonomously.
Data Portability and Access: Empowering Mobility Under Articles 6(9) and 6(10)
Article 6(9) DMA extends GDPR Article 20 portability to all end-user-provided/generated data (e.g., playlists, interactions, IP addresses, on-device metrics), irrespective of basis, with real-time/continuous, free access—including to authorised third parties and others’ data (with their consent). Lawful basis: Article 6(1)(c) GDPR. Granular controls (subsets, timeframes) via neutral dashboards; international transfers to non-adequate jurisdictions demand explicit consent (Article 49(1)(a)) post-risk disclosure. Example: A Meta end user ports interaction data to a rival network, excluding others’ content via tools, in structured formats like JSON.
Article 6(10) grants business users/authorised third parties access to interaction data (e.g., engagement metrics), aggregated or non-aggregated personal data with opt-in consent. Gatekeepers facilitate via interfaces but verify conditions; business users manage validity. Example: An Amazon seller accesses buyer preferences, procuring granular consents equally to Amazon’s mechanisms.
Anonymisation and Interoperability: Balancing Contestability and Security
Article 6(11) DMA mandates anonymised sharing of search ranking/query/click/view data with rivals, employing techniques like noise addition or aggregation to irremediably preclude re-identification (GDPR Recital 26). Contracts bar re-identification attempts. Example: Google anonymises queries before furnishing to Bing, enabling market entry sans privacy erosion.
Article 7 DMA interoperability for number-independent services (e.g., WhatsApp-Signal messaging) limits data to essentials (content, identifiers, metadata), with opt-in features and proportionate security (e.g., E2EE keys). Geographic blocks justified minimally; DPIAs obligatory. Example: Meta shares obfuscated IPs for spam detection, processing under balanced Article 6(1)(f) interests, eschewing continuous surveillance.
Enforcement Coordination: Section 8’s Blueprint
Centralized DMA enforcement by the Commission dovetails with GDPR’s decentralized model via consultation protocols: The Commission seeks supervisory authority input on GDPR facets in probes; authorities reciprocate for DMA implications. The High-Level Group (Article 40 DMA) advises broadly, sans case specifics. Ne bis in idem shields against duplicate sanctions.
Strategic Implications for Gatekeepers and Stakeholders
For gatekeepers, these guidelines mandate privacy-by-design (Article 25 GDPR): Segregate data silos, audit profiling (Article 15 DMA), and document DMA-GDPR alignments to evade fines. Business users gain contestability boons—free data flows—but shoulder consent burdens, necessitating robust Article 28 processor pacts. End users reap empowered choices, though fatigue risks loom; neutral architectures are pivotal.
Broader ripples: Enhanced market fluidity via portability curtails lock-in, indirectly amplifying GDPR rights. Yet, challenges persist—technical interoperability burdens, transfer safeguards for global ops. It is recommended from the great privacy community to have DPIA-integrated roadmaps, leveraging optional tools for consent management, and monitoring consultation feedback for refinements. Future joint efforts, like AI Act-GDPR guidelines, portend a cohesive regulatory tapestry.
- Compliance Imperatives: Embed granular consents in apps; anonymise proactively; foster API ecosystems.
- Risk Mitigation: Conduct joint audits; prepare for Commission-EDPB consultations.
- Innovation Catalysts: View DMA as GDPR enabler—data mobility spurs ethical AI and multi-homing.
Transcend EU Privacy
These joint guidelines transcend clarification, embodying a mature EU ethos where market fairness and data sovereignty converge. As consultation unfolds, stakeholders must engage to sculpt a resilient digital future. For gatekeepers charting DMA compliance, this is not mere guidance it’s a compliance compass from the Captain’s themselves.
Book a demo with our privacy experts and compliance superheroes today to learn how to become GDPR compliant with all of the new regulatory frameworks, changes, and rulings.
