EDPB and European Commission release joint guidelines on DMA and GDPR

The European Data Protection Board (EDPB) and the European Commission have issued their first joint guidelines on the interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). Aligned with the EDPB’s 2024–2027 Strategy and the Helsinki Statement, the guidance aims to simplify compliance and strengthen consistency across EU digital regulation, enhancing legal certainty for gatekeepers, business users, beneficiaries, and individuals.

The guidelines clarify how DMA obligations involving personal data must be implemented in accordance with EU data protection law. Notably, they set out the elements required for specific choice and valid consent under Article 5(2) DMA and the GDPR to lawfully combine or cross-use personal data across core platform services. They further address distribution of third‑party apps and stores, data portability, data access requests, and interoperability of messaging services, reflecting the DMA’s integration with GDPR concepts and definitions.

A joint public consultation on the draft guidelines is open until 4 December 2025. Stakeholder submissions will be published on the DMA website, linked from the EDPB website after the consultation closes. The final text, incorporating feedback, will be prepared jointly and adopted by both the EDPB and the European Commission.

Further guidance is forthcoming. The EDPB and the Commission’s AI Office are developing joint guidelines on the interaction between the AI Act and EU data protection law, continuing efforts to clarify the cross‑regulatory landscape and ensure coherent safeguards for personal data in digital markets.