On 19 November 2025, the European Commission (hereinafter the “Commission”) presented the first official draft of the Digital Omnibus legislative package[1], whose main objective is to modernize and clarify European digital law.
In general
Digital Omnibus, which is currently in the proposal stage, brings fundamental changes, particularly in the area of personal data protection under the GDPR[2] and in the regulation of the data economy under the Data Act[3].
Digital Omnibus represents one of the most significant interventions in the GDPR since its adoption, includes the first hint of deregulation in the area of personal data protection, and at the same time significantly reshapes the relatively new Data Act. In addition to amendments primarily targeting the GDPR and the Data Act, the package also addresses cybersecurity, a unified incident reporting regime, and selected elements of electronic identification. The regulation of artificial intelligence (AI) is addressed individually in a separate proposal presented by the Commission at the same time.
In this article, however, we will focus on the proposed changes in the area of personal data protection, i.e., in particular, the amendments to the GDPR. We will present the main new features of the Digital Omnibus, as well as new mechanisms and exceptions that have a significant impact in practice.
How does the Digital Omnibus affect the GDPR?
The Digital Omnibus affects the GDPR primarily in areas that, according to the Commission, require clarification or harmonization in practice. The Digital Omnibus therefore focuses in particular on clarifying certain basic concepts, updating and modernizing certain exceptions and legal bases (particularly in relation to the developing field of AI regulation), and harmonizing certain procedures and obligations where practice across the EU has not been fully harmonized. The goal is clear: to increase legal certainty, reduce administrative burdens, and ensure a more uniform and technologically up-to-date framework for the processing of personal data throughout the EU.
Impact on the definition of personal data
One of the most significant changes brought about by the Digital Omnibus is the amendment to the basic definition of personal data in Article 4(1) of the GDPR. Under the new rules, identifiability would be assessed solely on the basis of the means that a specific controller could “reasonably be expected” to use to identify a natural person. The Commission is thus following up on the judgment of the Court of Justice of the European Union (CJEU) in Case C-413/23 P, Single Resolution Board (SRB), in which the CJEU expressly stated that the same information may be personal data only for certain personal data controllers. The Commission further adds that when assessing “reasonable likelihood”, particular consideration is given to the costs and efforts required for identification, technological developments, the availability of additional data, and the purpose for which the controller processes the data.
New exceptions for the processing of special categories of personal data
The Digital Omnibus further supplements the exceptions contained in Article 9(2) of the GDPR with two new derogations from the prohibition on the processing of special categories of personal data within the meaning of Article 9 of the GDPR.
The first concerns the development and operation of AI systems and models where residual special categories of data may remain in training, testing, or validation data without being necessary for the purpose of processing. The Digital Omnibus therefore intends to allow their processing if the controller demonstrably implements and maintains appropriate technical and organizational measures throughout the life cycle of the AI system, with the aim of preventing such data, identify it and, once detected, effectively remove it, or, if removal would require disproportionate effort, at least ensure that such personal data is not used to derive outputs or made available to third parties.
The second proposed exception applies to biometric data used to verify the identity of the data subject. The processing of biometric data will be possible if the verification process is designed in such a way that it is under the sole control of the data subject, for example when biometric data is stored only on the subject’s device (such as a mobile phone or chip card) or is stored by the controller in encrypted form, with the decryption key held exclusively by the user, i.e. the data subject. Under these conditions, the proposal does not consider the risks to the rights of the data subject to be significant and allows the processing of biometric data solely for the purpose of verifying identity.
Processing for research purposes and information obligation
The Digital Omnibus introduces two significant changes in the area of scientific, historical, and statistical research. The proposal expressly stipulates that further processing of personal data for scientific, historical, or statistical purposes is considered compatible with the original purpose of processing, without the need to perform a compatibility test under Article 6(4) of the GDPR, provided that the conditions of Article 89 of the GDPR are met.
At the same time, the possibility of using the exemption from the information obligation under Articles 13 and 14 of the GDPR is to be extended. Under the Digital Omnibus regime, the controller will not have to inform the data subject if providing the information would prevent the research purpose from being achieved or would require disproportionate effort in view of the scope or nature of the project. In its proposal, the Commission emphasizes that, when assessing proportionality, the availability of the data subjects’ contact details, the nature of the information processed, and the technical and organizational measures implemented in accordance with Article 89 of the GDPR are particularly relevant.
Restrictions on abuse of the right of access
The Commission also responds in the proposal to the problem of abuse of the right of access under Article 15 of the GDPR by adding the possibility for the controller to refuse or charge for requests that are manifestly vexatious, repetitive, or unreasonably burdensome. The Commission’s aim is to limit situations where the right of access is used more as a procedural or litigation tool than as a means of exercising real control over the processing of personal data.
The question here is, of course, how this change will prove itself in practice, both from the perspective of controllers defending themselves against vexatious requests and, conversely, from the perspective of data subjects, where it may well happen in practice that some controllers will invoke this exception too broadly and seek to restrict the legitimate exercise of the right of access.
Automated decision-making
A new interpretation of Article 22 of the GDPR is also provided, which expressly states that the necessity of automated decision-making for the performance of a contract is not conditional on the existence of a manual alternative if such decision-making is objectively necessary to provide the agreed service. This is an important clarification, particularly for industries that routinely use automated processes (banking, telecommunications, customer services).
In practice, this amendment is aimed in particular at services that depend on real-time evaluation, such as online lending, where decisions are based on automated credit scoring and manual assessment would not be operationally feasible. The same applies to telecommunications services or digital energy suppliers, where a manual alternative to automated real-time customer eligibility assessment is not feasible in practice.
Incidents and reporting obligations
One of the most significant practical changes is the adjustment of the security incident reporting regime. The reporting obligation will now only apply to incidents posing a high risk, and the deadline for reporting them will be extended to 96 hours. Reports should be submitted via the single European interface “Single Entry Point”, which is intended to serve as a central channel across relevant regulations. The aim is to harmonize procedures in the EU, reduce the administrative burden, and eliminate duplicate obligations, which often place an unreasonable burden on controllers today.
Harmonization of DPIA
The European Data Protection Board (EDPB) is to be given the power to issue a single European template for data protection impact assessments (DPIA) and unified lists of processing operations that require or do not require a DPIA. This change represents a significant simplification, especially for large multinational companies, as the existing national lists vary considerably between Member States and complicate practice.
Cookies and new provisions directly in the GDPR
The Digital Omnibus moves key regulation of cookies and similar technologies directly into the GDPR through new Articles 88a and 88b, which should significantly simplify the existing legal framework. At the same time, it amends Article 5(3) of the ePrivacy Directive[4] so that it does not apply in cases where the storage or reading of information on an end device leads to the processing of personal data. In these situations, only the GDPR will apply. The proposal also seeks to introduce an obligation for controllers to respect automated signals of consent or refusal to store or read information from terminal equipment, to be implemented at the level of browsers and operating systems.
Pseudonymization
The new Article 41a of the GDPR is intended to empower the Commission to determine, by means of implementing acts, the circumstances under which pseudonymized data may cease to be considered personal for certain categories of controllers or in specific situations. The amendment emphasizes the relative nature of pseudonymization, i.e., that data may not be considered personal data in relation to all subjects if the specific controller does not have realistic, likely available means to re-identify them.
Legitimate interest as a legal basis for the purposes of developing and operating AI systems
Another newly added Article 88c of the GDPR expressly provides that the processing of personal data for the purposes of “the development and operation of an AI system” may be carried out on the basis of legitimate interest pursuant to Article 6(1)(f) of the GDPR, unless Union or Member State law requires explicit consent.
This processing, however, remains subject to the standard balancing test between the legitimate interests of the controller and the rights of data subjects and must be accompanied by appropriate safeguards, in particular the principle of data minimization, transparency, and the unconditional right of the data subject to object.
However, given the explicit limitation in this new Article 88c of the GDPR, in cases where EU or national law expressly requires consent, individual Member States may in practice set stricter conditions for AI training than those provided for in the GDPR itself, which may to some extent undermine efforts to establish a uniform European framework for the use of data in the field of AI.
Conclusion
The Digital Omnibus represents a comprehensive and conceptual revision of European digital legislation, which, once adopted, will have a fundamental impact on the form of personal data protection and the data economy. Although it is still only a legislative proposal, it is already clear that it brings ambitious changes aimed at greater uniformity, technical relevance, and a reduction in administrative burdens.
The proposal contains a number of measures that could significantly ease the burden on businesses and institutions, whether it be the introduction of a single interface for reporting incidents, the transfer of cookie rules from ePrivacy directly to the GDPR, the updating of definitions in line with case law, or the consolidation of fragmented data legislation, which we will examine in more detail in a future article.
At the same time, however, some of the proposed changes are likely to be the subject of intense debate. In particular, interventions in the GDPR – such as new exceptions for AI, changes to the rules for cookies, or changes in automated decision-making – may provoke resistance from some experts and the non-profit sector, which is already warning of a possible weakening of the protection of data subjects’ rights. Member states also have different positions on these issues, which suggests that the legislative process may not run smoothly and further amendments to the proposal can be expected.
If the proposal is ultimately adopted, the Digital Omnibus will enter into force on the third day after its publication in the Official Journal of the EU. However, some provisions will have deferred application, mainly due to the necessary legislative, technical, and administrative preparations.
Businesses and public institutions should therefore already begin to assess the potential impact of the Digital Omnibus on their processes, particularly in the areas of technology, cloud services, data sharing, data governance, new rules for cookies, and future technical standards for consent.
Given the scope of the proposed changes, it is undoubtedly advisable to closely monitor the legislative process, as the Digital Omnibus, once adopted in its final form, will undoubtedly significantly shape the EU’s digital space in the coming years.
If you have any questions regarding changes under the Digital Omnibus, GDPR, Data Act, or other areas of EU regulation and compliance, we at PEYTON legal are here to help.
[1] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulations (EU) 2016/679, (EU) 2018/1724, (EU) 2018/1725, (EU) 2023/2854 and Directives 2002/58/EC, (EU) 2022/2555 and (EU) 2022/2557 as regards the simplification of the digital legislative framework, and repealing Regulations (EU) 2018/1807, (EU) 2019/1150, (EU) 2022/868, and Directive (EU) 2019/1024 (Digital Omnibus).
[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
[3] Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act).
[4] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.
Mgr. Jakub Málek, managing partner – malek@plegal.cz
JUDr. Tereza Pechová, junior lawyer – pechova@plegal.cz
Anna Němcová, legal assistant – nemcova@plegal.cz
27. 11. 2025