Digital Omnibus – are we facing major changes to the GDPR regulations?

On 19 November 2025, the European Commission presented a legislative package called ‘Digital Omnibus’ – the first attempt in years to systematically reorganise the already complex EU digital law. The impetus for this reform is the accumulation of numerous regulations and competitive pressure.

The Commission’s proposal includes, among other things, significant changes to the General Data Protection Regulation (GDPR). This is the first major amendment to the GDPR since 2016, focusing on issues that have been the most controversial in the practical application of the regulations – primarily the definition of personal data, the rules for processing data for the purposes of artificial intelligence, automated decision-making, reporting data breaches and information obligations towards data subjects.

A new approach to the definition of personal data

One of the most significant changes concerns the definition of personal data in Article 4(1) of the GDPR. The draft clarifies that information relating to a natural person does not have to be personal data for every entity simply because another entity is able to identify that person.

Data will not be personal from the point of view of a given controller if, in real terms, the controller is unable to identify the person using means that are ‘sufficiently likely’ to be used in their situation. The mere fact that other entities have broader identification capabilities will no longer determine the classification of data on the part of a specific controller.

The draft also provides for the European Commission to be granted the power to adopt implementing acts specifying the measures and criteria for pseudonymization, after which certain data will be treated as non-personal from the perspective of the entity concerned. In practice, this means that some data currently classified as personal could be excluded from the scope of the GDPR, with the boundary between personal and non-personal data becoming even more dependent on the technology, organization and actual capabilities of the controller.

Data processing for artificial intelligence purposes

The Digital Omnibus introduces a new Article 88c to the GDPR, which aims to regulate the processing of personal data for the purposes of training artificial intelligence systems and models.

The draft clearly confirms that training AI models does not take place ‘outside the GDPR’ – it is necessary to rely on one of the bases in Article 6 of the GDPR (including consent, contract, legal obligation, legitimate interest). A legitimate interest basis is possible, but only after a thorough balancing test has been carried out, with particular emphasis on the protection of the rights and freedoms of natural persons, including children.

Additional specific obligations are imposed on the controller, such as: minimizing data already at the source selection stage, increased transparency towards persons whose data has been used for training, and granting those persons the right to object to the processing of their data for the purposes of training AI models.

With regard to special categories of data, the draft provides for conditional authorization of their processing in the context of artificial intelligence, provided that technical and organisational measures are implemented to avoid such data and delete them when detected. In the case of biometric data, its use for identity verification is permitted if control over the process and keys (e.g. cryptographic) remains with the data subject.

Information obligations and right of access

The proposed amendment to Article 12(5) of the GDPR is intended to enable controllers to defend themselves more effectively against abuse of data subjects’ rights. The controller will be able to refuse to comply with the right of access or charge a reasonable fee where the request is manifestly excessive or serves to exert economic pressure rather than to protect data.

Another important change concerns Article 13 of the GDPR. Extended exemptions from the information obligation are envisaged in simple, transparent relationships (e.g. small associations, local service providers) where the individual can reasonably predict who is processing their data and for what purpose, and the scope of the processing is limited. However, the exemption will not cover profiling, onward transfers, transfers to third countries or high-risk processing.

A specific exception is also provided for scientific research – where individual compliance with the information obligation is impossible or would require a disproportionate effort and could jeopardise the objectives of the research, with the use of specific compensatory mechanisms (e.g. publication of general information about the processing).

Automatic decision-making

Of particular importance is the proposed amendment to Article 22 of the GDPR concerning decisions based solely on automated processing, including profiling. Until now, this provision has been seen primarily as a guarantee of the right not to be subject to such a decision, with strictly interpreted exceptions.

In the draft, Article 22(1) is primarily intended to list the conditions under which automated decision-making is permissible. The emphasis is thus shifting from a general prohibition with exceptions to a general allowance under certain conditions. The rights of a person affected by an automated decision essentially boil down to requesting human intervention, expressing their own position and challenging the decision.

In addition, the draft specifies that a decision may be considered necessary for the conclusion or performance of a contract even if it could technically be made in a non-automated manner. In practice, this strengthens the argument of controllers in favour of using automation in many processes.

Data breaches and DPIA

The draft also provides for changes in the area of data breach notification and data protection impact assessments (DPIA). It is proposed to extend the deadline for notifying the supervisory authority of a breach to 96 hours and to limit the notification obligation to breaches that are likely to result in a high risk to the rights or freedoms of natural persons. Notifications are to be made through a single EU contact point using a common template.

With regard to DPIA, it is important to harmonise impact assessments by establishing at EU level lists of processing operations that require and do not require a DPIA, adopting a uniform assessment methodology and a standardised document template. Drafts of these solutions are to be prepared by the European Data Protection Board and then adopted by the Commission in the form of implementing acts.

GDPR and cookies

Digital Omnibus provides for the inclusion in the GDPR of rules on the storage of information on users’ devices and access to it, which until now have been primarily based on the e-Privacy Directive and national legislation. The proposed Article 88a aims to harmonise these rules at EU level.

The new regulation stipulates that storing information on a user’s terminal equipment or accessing information already stored requires the user’s consent, with exceptions including operations necessary for the transmission of communications, necessary for the provision of a service explicitly requested by the user, for the measurement of audience ratings by the provider for its own purposes, and related to the security of the service or device.

Once consent has been refused, the controller will not be able to ask for it again for the same purpose for at least 6 months. Controllers are to provide interfaces capable of reading machine-readable consent and objection signals (including objections to direct marketing), and browser providers are to enable users, after a specified period, to configure global privacy settings that are automatically communicated to websites.

Significance of the project

The Digital Omnibus package is at the beginning of the legislative process – ahead of it lie work in the European Parliament, the Council of the EU and a broad debate involving supervisory authorities, business representatives, social organisations and academia.

The foundations of the GDPR remain intact, but the proposed changes are profound. Of particular importance is the redefinition of the practical understanding of personal data and the change in the function of Article 22 of the GDPR. The amendment also significantly strengthens the role of the European Commission in the area of data protection, granting it numerous powers to issue implementing acts in sensitive areas (pseudonymisation, DPIA, reporting of breaches, signals of consent and objection).

If the amendments are adopted, businesses must be aware that it will be necessary to adapt their privacy policies, procedures for handling rights, methods of documenting DPIA and handling breaches, as well as practices related to the use of artificial intelligence and mechanisms such as cookies and similar technologies.