The GDPR has been Europe’s privacy rulebook since it came into effect in 2018. For most of that time, the core text stayed intact. That could change.
On November 19, 2025, the European Commission published the Digital Omnibus (COM(2025) 837), a proposal to modernize several EU digital laws at once. For the GDPR, the changes are targeted but significant: cleaner definitions, less admin for low-risk processing, new rules for AI, and a full overhaul of cookie consent.
This article is organized by GDPR article number, so you can read straight through or jump directly to the changes most relevant to your work.
In this guide
- What is the Digital Omnibus?
- EU Digital Omnibus GDPR changes: article by article
- Article 4: the definition of personal data gets a sharper boundary
- Article 5: reusing data for research and statistics is explicitly compatible
- Article 9: two new carve-outs for sensitive data
- Article 12: a clearer basis to refuse abusive access requests
- Article 13: privacy notices are no longer required in obvious, low-risk situations
- Article 22: automated decision-making gets a useful clarification
- Article 33: breach notification becomes less burdensome
- Article 35: one EU-wide DPIA list replaces 27 national ones
- New Article 41a: technical criteria for when pseudonymised data stops being personal
- New Article 88a: cookie rules move into the GDPR
- New Article 88b: users can set privacy preferences at browser or OS level
- New Article 88c: a defined legal basis for training AI on personal data
- Full summary table: all article changes at a glance
What is the Digital Omnibus?
The Digital Omnibus is a package of legislative proposals published by the European Commission on November 19, 2025. Its goal is to simplify and modernize several EU digital laws at once, including the General Data Protection Regulation (GDPR), the EU ePrivacy Directive, the Data Act, NIS2 for cybersecurity, and others.
The EU’s broader motivation is competitiveness. Years of layered digital regulation have created overlapping obligations, inconsistent enforcement across member states, and significant compliance costs for businesses of all sizes. The Omnibus aims to reduce that burden without rolling back individual rights.
For privacy and legal teams, the GDPR changes are relevant parts that they should be aware of. They touch definitions, data subject rights, breach notification, DPIAs, cookie consent, and AI across 12 articles.
If adopted, when would the Digital Omnibus apply?
The Omnibus would not take effect all at once. For example, refreshed cookie rules would apply 6 months after entry into force, while browser-level signals would apply around 48 months after. This depends on the complexity of implementation.
EU legislative procedures typically take 12 to 30 months from proposal to adoption in straightforward cases. For a proposal of this scope, touching cookie law, AI, and core GDPR definitions simultaneously, a longer timeline is more realistic. The earliest any provision would apply is late 2027, and full rollout could extend to 2030 or beyond.
The process is further complicated by the number of stakeholders already on record:
- The EDPB has raised concerns about the narrowed personal data definition.
- NOYB and IAB Europe have submitted positions on the cookie rules.
- Trilogue negotiations between the Parliament, Council, and Commission are unlikely to be straightforward.
The final text may look quite different from what the Commission published.
Important: the Digital Omnibus is still a proposal, not law. It will go through negotiations in the European Parliament and Council, and the final text may change substantially. Your current GDPR obligations remain fully in force. Nothing requires action until the regulation is formally adopted.
EU Digital Omnibus GDPR changes: article by article
Article 4: the definition of personal data gets a sharper boundary
The GDPR currently defines personal data broadly: any information that could identify someone, by any party, using any reasonably available means. In practice, this left pseudonymised data in scope for almost everyone, even organizations that had no realistic way to identify anyone from it.
Pseudonymised data is personal data where direct identifiers like names or emails have been replaced with codes or tokens. It can still be linked back to an individual if the right additional information exists.
The Omnibus tightens this. Information would not count as personal data for an entity that does not have the means “reasonably likely” to identify the person. The fact that a later recipient could identify someone does not make the data personal for the entity holding it now.
This matters most for researchers, analytics providers, and AI developers working with pseudonymised datasets. It draws a cleaner line between in-scope and out-of-scope processing.
If you work with pseudonymised datasets and have no realistic way to re-identify individuals, this is a good moment to map out which processing activities the change would affect.
Article 5: reusing data for research and statistics is explicitly compatible
Purpose limitation is a core GDPR principle: you can only use personal data for the purpose you collected it for, unless further processing passes a compatibility test.
The Omnibus makes one category exempt from that test entirely. Processing for archiving in the public interest, scientific or historical research, or statistical purposes would always be compatible with the original collection purpose, regardless of how that data was originally collected.
If you work in public health, academia, or data analytics, this removes a compliance step that previously created uncertainty around secondary use of data.
Article 9: two new carve-outs for sensitive data
Special categories of data (health, ethnicity, biometric identifiers, and others) carry stricter protections. The Omnibus adds two new exceptions.
- First, where sensitive data ends up incidentally in an AI training set, its presence does not automatically trigger the stricter prohibitions under Article 9, provided the controller has put in place appropriate technical and organizational measures to minimize collection in the first place and to remove or protect sensitive data where it can be identified. The carve-out is conditional on those safeguards being in place: it is not a general permission to retain sensitive data once ingested.
- Second, biometric data (data derived from a person’s physical characteristics, such as fingerprints, facial features, or iris patterns) can be processed for identity verification when the means of verification are entirely under the user’s control. Think of a fingerprint used to access a service on the user’s own device.
Article 12: a clearer basis to refuse abusive access requests
Data subject access requests (DSARs) are a legitimate right. They are also sometimes used tactically: to gather evidence in employment disputes, to create pressure in unrelated negotiations, or as part of coordinated harassment.
The Omnibus adds an explicit basis to refuse requests, or charge a reasonable fee, when a request is clearly not made for data protection purposes. This builds on the existing Article 12(5) mechanism, which already allows controllers to refuse or charge for manifestly unfounded or excessive requests, by extending it to requests that are clearly made for purposes unrelated to data protection. The burden of proof stays with the controller in both cases: you would need to document your reasoning before invoking either ground.
If your organization has received coordinated or clearly tactical access requests, this gives you a documented legal route to push back.
Article 13: privacy notices are no longer required in obvious, low-risk situations
Today, almost every instance of processing personal data triggers an obligation to provide a privacy notice. The Omnibus introduces a practical exception.
Where there are reasonable grounds to assume the person already has the information, controllers would not need to provide a full notice. The regulation names simple craftsman-client relationships and sports club memberships as examples: low-risk contexts where providing a formal notice adds process without adding understanding.
A new Article 13(5) also exempts controllers from information obligations in scientific research contexts where providing that information would be impossible or disproportionate, as long as the information is made publicly available instead.
Article 22: automated decision-making gets a useful clarification
The GDPR restricts fully automated decisions that have a legal or similarly significant effect on a person, with limited exceptions. One exception is necessity for a contract: if a decision needs to be automated to carry out a contract with someone, it is permitted.
The Omnibus removes a gray area: the automated decision just needs to be necessary for the contract. For organizations using automated decisions in lending, insurance, or similar areas where a contract genuinely requires that processing, this removes an unresolved argument about whether human involvement needed to be impractical first. The exception remains narrow: it applies only where the automated decision is necessary for the performance of a specific contract with the individual concerned, not to AI-driven decisions in general.
Article 33: breach notification becomes less burdensome
Today, you must notify your supervisory authority of a data breach within 72 hours, for any breach that poses a risk to individuals. That low threshold has led to high volumes of notifications for incidents with limited real-world impact.
Three changes are proposed:
- The threshold rises: notification is required only when a breach poses a high risk to individuals, aligning it with the existing bar for notifying individuals directly.
- The deadline extends from 72 to 96 hours.
- A new single EU entry point handles notifications across GDPR, NIS2, eIDAS, DORA, and other frameworks, eliminating the need to report to multiple authorities separately.
A more streamlined process for breach notifications would allow teams to have more time to assess, focus on real high-impact reports, and use a single channel.
Article 35: one EU-wide DPIA list replaces 27 national ones
Data Protection Impact Assessments (DPIAs) are required for high-risk processing. Each EU member state currently maintains its own list of what qualifies as high-risk, creating inconsistencies across the Single Market.
The Omnibus replaces all national lists with a single EU-level list, prepared by the EDPB and formally adopted by the Commission. One harmonized list, one standard template, one methodology. For organizations operating across multiple EU countries, this removes a significant source of duplication and inconsistency.
Need to run a DPIA? Our DPIA template walks you through the Article 35 process step by step. Check out the template
New Article 41a: technical criteria for when pseudonymised data is not considered personal data
This article gives the Commission power to adopt implementing acts that define specific criteria and techniques for determining when pseudonymised data no longer constitutes personal data for a given entity.
In practice, this means regulators would publish clear technical thresholds, rather than leaving organizations to make that judgment independently. This gives more certainty to data science, healthcare, and research teams working with processed datasets.
New Article 88a: cookie rules move into the GDPR
Rules around cookies and trackers have lived in the EU ePrivacy Directive (also referred to as cookie law) since 2002 and have been applied at a national level across member states. The Omnibus moves them into the GDPR as new Article 88a.
Consent remains the default for storing or accessing information on a user’s device. But here’s what could change:
- A defined list of purposes would not require consent (strictly necessary storage, first-party audience measurement used only for your own purposes, security maintenance and fraud prevention).
- For banners, two key rules apply: you can’t re-ask someone while their consent is still valid, and if a user refuses, you cannot ask again for the same purpose for at least six months. A single-click reject option must also be as easy to reach as accept.
If you’re already using a CMP like iubenda, both rules can be handled at the configuration level. Learn how to do this in our configuration guide here.
“One question the proposal does not yet fully resolve is the fate of the EU ePrivacy Directive itself. The Omnibus moves the substantive cookie and tracker rules into the GDPR, but does not formally repeal the Directive. Until the legislative process concludes, both frameworks technically remain in play, which means the interaction between them, and how national implementations of the Directive will be treated, is still an open point to watch.”
Giulia Stancampiano, Director of Legal
New Article 88b: users can set privacy preferences at browser or OS level
This is the main structural response to consent fatigue, or the frustration users experience from being repeatedly asked to accept or reject cookies on every site they visit.
Users would be able to express privacy preferences centrally, via browser settings, a digital wallet, or similar tools, using machine-readable signals. Websites and apps would need to be able to read and respect those signals.
Media service providers are subject to a specific carve-out: even where a user has set a global rejection preference, a media provider may present the user with an alternative (for example, a subscription or pay option) rather than simply honoring the signal as a refusal. This is not an exemption from the signal itself, but a defined route to offer users a meaningful choice before treating their preference as final.
Even when users set global signal preferences, a consent management platform (CMP) is still required to enforce whether tracking actually runs on your site. Do you need a consent management platform? iubenda’s Privacy Controls & Cookie Solution is a certified CMP. See how it works.
New Article 88c: a defined legal basis for training AI on personal data
AI developers have operated in significant uncertainty about whether training AI systems on personal data is lawful under the GDPR.
New Article 88c establishes a defined route: this processing may rely on legitimate interest, provided the controller maintains enhanced transparency about the purpose of AI training and gives data subjects an unconditional right to object.
This isn’t a blanket authorization. The legitimate interest balancing test still applies, and the safeguards required scale with the sensitivity of the data and the risk level of the system.
Legitimate interest is the most flexible of the six legal bases under the GDPR. It allows data processing without user consent, based on the controller’s or a third party’s interests, as long as the individual’s rights and freedoms don’t override those interests.
Full summary table: all article changes at a glance
What to keep in mind
The Digital Omnibus is still moving through the legislative process, and the final text will not be what the Commission published. The personal data definition, the cookie signal rules, and the AI training basis are all areas where the EDPB and other actors have signaled they want changes.
The most useful thing to do now is map the provisions that would affect your operations most directly (whether that’s breach notification thresholds, DPIA obligations, or cookie consent flows) so that when the final text is confirmed, you’re not starting from scratch. We’ll continue publishing guidance as the process develops.