GDPR and DMA: towards convergence between competition law and personal data protection

In a European market affected by the constant evolution of digital services, the European Data Protection Board (the "EDPB") and the European Commission approved, on 9 October 2025, joint guidelines aimed at clarifying the interplay between the Digital Markets Act (the "DMA") and the General Data Protection Regulation (the "GDPR").

‍

This joint effort marks a turning point for digital markets, which must now respond to interconnected challenges between individuals' rights to privacy and protection of their personal data on the one hand, and fairness and contestability of digital markets from a competition law perspective on the other.

‍

While the DMA and the GDPR pursue different objectives, they are nonetheless complementary in terms of protecting individuals.

‍

Between guidelines and actual practices, how do these two legal regimes interact?

‍

1. Common guidelines on the interaction between the DMA and the GDPR

‍

While the GDPR applies to companies established in the European Union ("EU") or offering their services to individuals established in the EU, the DMA applies to core platform services provided or offered by gatekeepers to business users or end users established in the European Union.  

‍

Core platform services include a limited list of digital services listed in Article 2(2) of the DMA, such as operating systems, virtual assistants, or online intermediation services, while gatekeepers are the companies the provide these services and have been designated by the European Commission.

‍

Although the scope of the DMA is narrower than that of the GDPR, it is important to note that the covered services are systematically affected by data protection issues, since gatekeepers may be classified as data controllers or processors, depending on the circumstances.

‍

The European Commission and the EDPB therefore sought, through joint guidelines, to provide guidance for the consistent interpretation and application of these two regulations, in relation to some provisions of the DMA that concern or may entail the processing of personal data by gatekeepers or include references to GDPR concepts and definitions.

‍

Open for public consultation until 4 December 2025, these recommendations highlight the points of contact and convergence between competition law and data protection.

‍

2. Convergence between user rights and platform obligations

‍

The connections between these two legal regimes are reflected in various provisions of the DMA and the GDPR.  

‍

While gatekeepers may be required to process personal data, the DMA sets limits and defines in Article 5(2) four practices that are strictly prohibited unless the end user has consented:  

• processing, for the purpose of providing online advertising services, personal data of end users using services of a third-party that make use of a core platform service provided by the gatekeeper;

• combining personal data of users from the relevant core platform service with data from any further service provided by the same gatekeeper or from third-party service;

• cross-using personal data from the relevant core plateform service in other of services provided separately by the gatekeeper;

• signing in end users to other services of the gatekeeper in order to combine personal data.  

‍

These prohibited practices are, in fact, already covered by data protection law, which prohibits commercial prospecting without consent from individuals, or makes the combination and cross-referencing of personal data one of the criteria requiring a data protection impact assessment ("DPIA").  

‍

By incorporating these practices, the DMA goes further and contributes to the protection of data subjects by imposing additional obligations on data controllers beyond those already required under the GDPR.  

‍

However, a limit set by Article 5(2) of the DMA should be noted: the obligation on gatekeepers to obtain the consent of end users is without prejudice to their ability to process such personal data when it is necessary to comply with a legal obligation, to protect vital interests, or to perform a task carried out in the public interest.

‍

Thus, the concept of legal basis, well known to GDPR practitioners, finds its place in the business practices of gatekeepers.

‍

The DMA also disrupts consent practices, in particular by:  

• introducing the possibility for gatekeepers to offer a less personalized but equivalent alternative to prohibited practices in order to circumvent the requirement to obtain consent; and  

• providing for the need for a separate opt-in for each purpose pursued under Article 5(2) DMA, as recommended in the aforementioned joint guidelines.  

‍

Here again, the principles already laid down in the GDPR, which require free, informed, and specific consent, are reflected; while the joint guidelines of the EDPB and the European Commission warn of the imbalance of power between end users (data subjects) and gatekeepers.  

‍

In the view of the European authorities, the right to data portability, provided for in Article 6(9) of the DMA which requires gatekeepers to guarantee end users the effective portability of data provided by them or generated by their activity free of charge, also coexists with the right to portability provided for in Article 20 of the GDPR.  

‍

While dominant companies may tend to conceal the true extent of their data practices, thereby degrading the quality of their services and harming consumers from a competition perspective, the principles of transparency and accountability derived from the GDPR rebalance market relations.  

‍

Thus, it is no longer possible to deny the coexistence and necessary coordination of competition law and the right to personal data protection.  

‍

3. What are the implications for the digital market?

‍

It is clear from all of the above that the DMA can only be effective as a regulatory framework for digital markets if it is interpreted and implemented in accordance with fundamental rights and freedoms, and hence with the right to personal data protection.

‍

Thus, gatekeepers and, more broadly, digital service providers must now adapt their usages and include data protection issues in their business practices, as it is highly likely that market regulators will increasingly extend their controls to the provisions of the GDPR and other applicable data protection laws.  

‍

Indeed, in cases where a company abuses its dominant position to influence data subjects and force their consent via the consent-or-pay model, for example, the authorities will take a tough stance, as evidenced by the €150,000,000 fine imposed on Apple by the French Competition Authority on 28 March 2025, due to the abusive nature of the terms of its App Tracking Transparency (ATT) system, which requires a consent window to be displayed before any targeted advertising can take place.  

‍

As business users and end users, other market players and data subjects will also benefit from this convergence between competition law and data protection law, by articulating the rights and commercial practices prohibited under the DMA in light of their rights over their personal data under the GDPR.  

‍

Conversely, the provisions of the DMA could change the practices established by data protection law, particularly with regard to consent collection and targeted advertising, and thus bring about changes in usage at a time when European institutions are seeking to amend and simplify the GDPR.  

‍

In the digital world, the synergy between competition law and data protection law seems essential to ensuring market balance while promoting innovation.  

If you have any questions or need assistance, our IP/IT team is here to help!

‍

‍

Jeannie Mongouachon, Partner and Juliette Lobstein, Associate, Squair