On October 9, 2025, the European Commission (EC) and the European Data Protection Board (EDPB) published Draft Guidance on the interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR, and the Draft Guidance).
For the first time, the EDPB and the EC are issuing joint guidance to align GDPR and DMA requirements, reduce uncertainty for companies, and ensure DMA requirements are applied in line with the GDPR principles. This increases scrutiny for gatekeepers designated under the DMA and for their business users requesting data access under Article 6(10) DMA, who will need to pay closer attention to compliance and how the two regulations interact.
In particular, gatekeepers should consider conducting a gap analysis of their practices in light of the Draft Guidance, including reviewing their consent mechanisms, data-sharing practices, and other operational processes. Similarly, business users relying on gatekeepers for data access should consider aligning their practices with the Draft Guidance to ensure compliance and avoid potential GDPR breaches.
Background
While both the DMA and the GDPR seek to protect users in the digital ecosystem, they pursue distinct objectives and operate within different—albeit partly overlapping—scopes.
The DMA applies to large digital platforms that provide “core platform services” (CPSs) (e.g., online marketplaces, online platforms, social networking, cloud services, advertising services, video sharing) and have been designated as “gatekeepers.” The DMA imposes far-reaching ex ante obligations on these gatekeepers, including rules related to data combination, use of platform data, data access by business users or rivals, interoperability, ad transparency, and self-preferencing.
Some of these obligations entail processing of personal data subject to the GDPR, and there have been concerns over potential inconsistencies, shortcomings, or conflicts between the two regulations. Such concerns arise, for example, in cases where the wording of the DMA directly refers to GDPR concepts and thus raises interpretation issues, or where these obligations are in conflict with pre-existing GDPR principles.
Although the Draft Guidance has no binding legal force on businesses, it reflects the EC and EDPB’s enforcement approach and expectations and creates legitimate expectations for individuals and companies.
Where the DMA Meets the GDPR
The Draft Guidance highlights strict consent requirements for gatekeepers under the DMA, particularly regarding targeted advertising and cross-service data processing, and clarifies DMA obligations that overlap with the GDPR, as follows:
- Consent. The DMA prohibits gatekeepers from processing certain personal data without valid user consent, such as combining data from a CPS with another service (Article 5(2)). The Draft Guidance emphasizes that consent must comply with GDPR requirements and be freely given, specific, informed, and clear. Users should be able to refuse or withdraw consent without any restriction or reduced functionality. When processing operations require consent under both the GDPR and DMA, gatekeepers should use a single, user-friendly consent flow.
- Data Access. The DMA requires gatekeepers to give business users and authorized third parties access to personal data generated by end users (Article 6(10)). The Draft Guidance clarifies that this sharing can only occur with the end user’s prior consent, which also serves as the legal basis under the GDPR. Gatekeepers must also inform end users about the processing by themselves and the authorized third parties as separate controllers.
- Data Anonymization. The DMA requires gatekeepers to provide certain anonymized end-user data (e.g., ranking, query, click, and view data) to third-party search providers (Article 6(11)). The Draft Guidance clarifies that anonymization must meet the same high standard as set out in the GDPR. While achieving full GDPR-compliant anonymization is challenging, EC implementing regulations could help by imposing on gatekeepers’ specific conditions and safeguards to ensure effective anonymization before sharing data with eligible third parties.
- Data Portability. The Draft Guidance expands on the DMA’s data portability rights (Article 6(9)), allowing end users and authorized third parties to request personal data from CPSs, complementing the GDPR.
- Legal Basis. Unlike the GDPR, which requires consent or a contract, the data portability right under the DMA applies regardless of the legal basis. Gatekeepers must comply even when processing relies on other bases, like legitimate interests.
- Material Scope. The scope of personal data subject to data portability under the DMA is broader than under the GDPR, including data about other individuals if provided by the end user or generated through their activity on the CPS.
- Data Transfers. Complying with a data portability request may require transferring personal data outside the EEA to a country without an EU adequacy decision. In such cases, gatekeepers should obtain the user’s consent after explaining the possible risks. They should also inform users who can make requests and specify the recipients of their data when a request is made.
- Interoperability. For number-independent interpersonal communication services, the DMA requires gatekeepers to enable users to easily switch to an alternative provider at no additional cost (Article 7). To simultaneously comply with the GDPR, the Draft Guidance highlights that gatekeepers should conduct a data protection impact assessment and only share the personal data strictly necessary to provide effective interoperability.
- Distribution of Software Application Stores and Applications. The DMA requires gatekeepers to allow the installation and effective use of third-party software apps or app stores on their operating system (Article 6(4)). The Draft Guidance clarifies that gatekeepers must still comply with the GDPR, for example by encrypting network connections, protecting against malware, and letting users limit third-party access to sensitive data. According to the Draft Guidance, they must also follow the e-Privacy Directive, obtaining user consent to store or access information on devices, unless strictly necessary for a service requested by the user or for secure system operation.
Enforcement and Compliance
The Draft Guidance stresses coordinated enforcement between the EC and national data protection authorities, reducing the risk of conflicting requirements and providing a clearer roadmap for compliance. However, this also means an increased risk of enforcement action and appears to sharpen the requirements related to data access and the expectations of regulators for both gatekeepers and business users.
Key Takeaways
While awaiting the final guidance, both gatekeepers and business users requesting data access under Article 6(10) DMA should carefully consider the interplay between the DMA and the GDPR to ensure compliance with both frameworks.
The Draft Guidance is now open for consultation, and stakeholders have until December 4, 2025, to submit their feedback. The final guidance is expected to be published in 2026.
