European Union: European Data Protection Board and European Commission opened consultation on joint guidelines on interplay between Digital Markets Act and General Data Protection Regulation

On 9 October 2025, the European Data Protection Board and the European Commission opened a consultation on joint guidelines detailing the interaction between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). The consultation is set to close on 4 December 2025. The guidelines aim to ensure the compatible interpretation and application of both frameworks. The guidelines focus on specific DMA provisions with overlaps with GDPR rules that require clarification. For data processing under Article 5(2) of the DMA, gatekeepers must obtain end users' valid consent as defined by the GDPR, though other legal bases such as legal obligation may be used for specific purposes such as security. Regarding Article 6(4) DMA, gatekeepers enabling third-party app stores on their systems must comply with the GDPR and the ePrivacy Directive, advising the selection of measures effective for GDPR compliance while minimally affecting DMA objectives. The data portability right in Article 6(9) DMA is broader than the GDPR's, and the guidelines clarify how to handle data of multiple individuals, user authentication, and international data transfers. For data access granted to business users under Article 6(10) of the DMA, it is clarified that consent collection remains a necessity, and that it is the gatekeepers' role to facilitate this process as well as to inform users about data sharing. Article 6(11) DMA, which obliges gatekeepers to provide anonymised search data, is explained in terms of fostering market competition and effective anonymisation. Finally, Article 7 DMA's interoperability requirements are elaborated from a privacy and data protection perspective, emphasising data minimisation and measures to protect service integrity and privacy. The guidelines also noted the necessity of coordination between the European Commission and data protection supervisory authorities for consistent enforcement.