The Digital Omnibus Package – Focus On Personal Data Provisions

On November 19, 2025, the EU Commission released its new digital package. Although the EU has pioneered digital regulation and has set the golden standard for protection for fundamental rights, consumer safety, and upholding European values, the multiplication of the EU texts (such as the General Data Protection Regulation (GDPR), the Data Governance Act(DGA), the Data Act, the AI Act, etc.) has become burdensome, particularlyfor SMEs.

The package contains the Digital Omnibus proposal which is the first step to optimise the application of the digital rules. Its objective is to ensure that compliance with the rules comes at a lower cost, delivers on the same objectives, and provides a competitive advantage for the responsible businesses.

In this bulletin, you will find a brief overview of the key amendments that could be made in data protection matters, in particular amendments made to the GDPR and to the e-Privacy Directive.However, please keep in mind that the Digital Omnibus is a draft and its content can be amended until its adoption.

Clarification of the definition of personal data under Article 4 of the GDPR: Information is not to be considered personal data for a given entity when it does not have means reasonably likely to be used to identify the natural person to whom the information relates. This amendment aims at integrating the new case law of the Court of Justice of the European Union (the "CJEU"), Case C 413/23 P, European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB), in which the CJEU affirmed that pseudonymized data may not always be considered "personal" for a party, such as the service provider, for example, if the pseudonymization could prevent that party from identifying the individual. In this context, whether data is considered "personal" depends on the perspective and identification capabilities of the party handling it.

Note that the Commission will adopt implementing acts to specify means and criteria to determine whether data resulting from pseudonymization no longer constitutes personal data. The European Data Protection Board (EDPB) will be involved.

Two additional exemptions to the general prohibition of processing of special categories of data:

• The processing of biometric data is permitted when it is necessary for confirming the identity of the data subject and when the data and means are under the sole control of that data subject.
• The processing of special categories of personal data for development and operation of an AI system or an AI model, subject to certain conditions, including appropriate organizational and technical measures to avoid collecting special categories of personal data.

Excessive access requests: Clarification of the situation under Article 12 of GDPR where the right of access is abused by data subjects for purposes other than the protection of their personal data. As a result, the organization could refuse to comply with the request or charge a reasonable fee. In this context, the organization will have to demonstrate that the request is manifestly unfounded or there are reasonable grounds to believe that the request was excessive. This provision is similar to Quebec privacy laws.

No need to inform individuals where there are reasonable grounds to assume that the data subject already has the information, unless the controller shares the data to other recipients, transfers it to a third country, engages in automated decision-making or the processing poses a high risk to data subject's rights.

Clarification of the requirements for automated individual decision-making under Article 22 of the GDPR, in the context of entering into, or performance of, a contract between the data subject and a data controller, in particular that the requirement of 'necessity' is regardless of whether the decision could be taken otherwise than by solely automated means.

New requirements for the data breaches notifications: The notification process will be simplified by aligning the controller's obligation to notify data breaches to the competent supervisory authority under Article 33 of the GDPR with its obligation to notify data subjects of such breaches by stipulating that the notification is only required if a data breach is likely to result in a high risk to the data subject's rights. Currently, a data breach must be notified (i) to the competent supervisory authority if such a breach is likely to result in a risk to the data subject's rights and (ii) to the data subjects of is likely to result in a high risk to the data subject's rights. So this two-threshold notification process will not exist anymore, and will be in-line of the Canadian requirements.

In addition, the notification would be extended to 96 hours (72 hours nowadays). It is also proposed that controllers use the single-entry point when they notify data breaches to the supervisory authority. In addition, the EDPB would be obliged to prepare and submit to the Commission a proposal for a common template for data breach notifications.

Note that the single-entry point for incident reporting is also mandatory for reporting breach under eiDAS, NIS 2, and DORA.

DPIAs: Currently, each EU member state have their own lists of processing activities subject or not to the obligation of carrying out a DPIA. Such a list would be harmonized at the EU level, thereby contributing to a consistent definition of high risk.

New rules regarding cookies: The legal regime on processing of personal data on or from terminal equipment ('connected devices'), currently part of Directive 2002/58/EC (ePrivacy Directive), would be inserted in the GDPR and would rely on consent. Among other changes, the proposal would permit the storing of personal data, or gaining access to personal data already stored in terminal equipment, without consent, in a range of circumstances, for example access needed by the controller to measure audience size for own use to maintain or restore security.

Note that the e-Privacy Directive would be amended accordingly to reflect such a change.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.