Digital Omnibus and GDPR: upcoming changes in personal data protection
The comprehensive digital package (known as the Digital Omnibus) presented by the European Commission in November 2025 focuses on changes to digital legislation in data protection and processing, cybersecurity and artificial intelligence. It should also have a significant impact on personal data protection (GDPR). Here is an overview of the key areas that may be affected by the upcoming changes.
The proposed amendments are primarily aimed at clarifying and simplifying the rules to relieve addressees and public authorities of the administrative and financial burden associated with fulfilling their obligations. The aim is to strike a balance between maintaining a high level of personal data protection and supporting technological development and business competitiveness.
When will data be considered "personal"?
The proposal provides for a more precise definition of personal data, with particular emphasis on the "identifiability" of a natural person. Information relating to a natural person may not automatically be personal data for every entity simply because another entity is able to identify that person. When assessing identifiability, all means that can reasonably be expected to be used to identify the data subject (e.g. availability of additional data, costs, effort required, etc.) should therefore be taken into consideration. Thus, certain information may constitute personal data for some entities, while for others that do not have the means to identify the data subject directly or indirectly, it may not be personal data.
Right of access and obligation to inform data subjects about the processing of their data
Simplification should also apply to certain obligations of personal data controllers. If a data subject clearly abuses their right of access (e.g. by submitting excessively repetitive or clearly unfounded requests), the controller will be entitled to refuse the request or charge a reasonable fee. With certain exceptions, the controller will also not be obliged to inform the data subject in situations where there are reasonable grounds to believe that the data subject already has the relevant information.
More favourable conditions for artificial intelligence and new exceptions for the processing of sensitive data
The processing of personal data during the training, testing and operation of artificial intelligence systems should now be possible on the basis of legitimate interest, unless consent is required under other regulations. At the same time, the processing of special categories of personal data (sensitive data) is also permitted if they occur only residually in training or test data. In any case, however, controllers remain obliged to ensure adequate data protection through organisational and technical measures, including the performance of a balancing test.
The exception to the prohibition on processing sensitive data should also apply to biometric data if their processing is necessary to verify the identity of the data subject and, at the same time, these data and the means of verification are exclusively under the control of the data subject (e.g. they are stored on their device).
Access to devices and storage of cookies
The legislation responds to the phenomenon of "consent fatigue" where users are overwhelmed by an excessive number of interactive elements. The new legislation will place an emphasis on user-friendliness, with website operators having to allow users to refuse cookies with a single click and not repeatedly bothering users with requests at short intervals. The proposal also introduces an obligation for website and application administrators to respect user preferences set in the browser or application that express consent or refusal to store or read information from the end device. At the same time, there will be a certain relaxation of the rules for necessary and less invasive technical operations. For example, consent should not be required if the processing is necessary to provide a service requested by the user, to transmit electronic communications, to secure the website, or for the administrator's own traffic measurement.
More effective notification of personal data breaches
It is proposed that the controller's notification obligation should only apply to incidents that are likely to result in a high risk to the rights of data subjects. At the same time, the notification deadline should be extended from 72 to 96 hours. Notifications should be submitted via a "single-entry point" to be established under the NIS2 Directive. The European Data Protection Board (EDPB) is also to prepare a uniform notification template.
Conclusion
The proposed changes do not alter the fundamental principles on which personal data protection is based. However, the area requires ongoing adaptation to rapid technological developments and changes in the digital environment. The amendments do not re-evaluate the regulatory framework itself but rather aim to clarify and partially relax the existing rules, while considering the risks of infringement on the rights and freedoms of data subjects. The Digital Omnibus legislative proposal will now be subject to further discussions at the level of European institutions. It is therefore not yet possible to predict with certainty whether and in what form it will be adopted, and its final wording may undergo further changes.
We have also addressed the Digital Omnibus from the perspective of AI regulation. You can read the article here.