GDPR and New Digital Regulations: Toward Stronger Coherence in the European Data Protection Framework

DPO Consulting
This is some text inside of a div block.
January 21, 2026

Table of contents

Example H2

The GDPR as a Cross-Cutting Foundation of New European Digital Regulations

The European Data Protection Board (EDPB) is increasingly asserting the central role of the GDPR within the European digital regulatory ecosystem. The GDPR is now conceived as a structuring reference framework, designed to interact with the Digital Markets Act (DMA), the Digital Services Act (DSA), and the forthcoming Artificial Intelligence Act (AI Act).

This approach is part of the EDPB’s 2024–2027 strategy, which explicitly aims to strengthen regulatory coherence, legal certainty, and the effective protection of fundamental rights in a context marked by the multiplication of digital obligations.

The Interaction Between the GDPR and the DMA: Major Institutional Clarifications

The joint guidelines published by the EDPB and the European Commission represent a structural advancement in European digital governance. Their purpose is to ensure complementary application of the GDPR and the DMA, particularly with regard to platforms designated as gatekeepers.

Several key principles are reaffirmed:

  • Primacy of GDPR principles: obligations imposed by the DMA cannot justify processing activities that run counter to the principles of data minimisation, purpose limitation, or proportionality;
  • Strict framework for consent: where the DMA imposes certain functional obligations (interoperability, access to data), reliance on consent remains required whenever the processing is not strictly necessary to comply with a legal obligation;
  • Protection of fundamental rights: mechanisms for data access or enhanced portability must be designed in a way that preserves the rights of data subjects.

These clarifications reflect an explicit intention to prevent any autonomous interpretation of the DMA that could weaken the level of protection guaranteed by the GDPR.

GDPR and the AI Act: Complementarity Based on the Protection of Fundamental Rights

The gradual entry into force of the European Artificial Intelligence Act (AI Act) confirms this logic of regulatory articulation. The European legislator has expressly provided that the AI Act applies without prejudice to the GDPR, particularly where AI systems involve the processing of personal data.

Several key points of attention emerge:

  • Cumulative legal qualification: a system may simultaneously qualify as a high-risk AI system under the AI Act and as processing subject to the GDPR, thereby triggering parallel obligations (documentation, governance, risk analysis);
  • Training and testing data: the AI Act strengthens requirements relating to data quality, representativeness, and absence of bias, which complement the GDPR principles of lawfulness, data minimisation, and accuracy;
  • Impact assessments: in certain cases, a data protection impact assessment will need to be coordinated with the risk assessment required under the AI Act.

The EDPB and the European Data Protection Supervisor have repeatedly emphasised that the GDPR remains the central instrument for protecting individuals against intensive uses of artificial intelligence.

Operational Recommendations for Practical Compliance

Beyond high-level legislative texts, the EDPB continues to adopt a resolutely pragmatic approach by publishing targeted recommendations addressed to economic operators.

Among the issues recently addressed is the mandatory creation of user accounts in e-commerce. The EDPB recalls that:

  • account creation cannot systematically be a prerequisite for making a purchase;
  • alternatives such as guest checkout must be offered, unless there is an objective necessity (subscriptions, personalised services);
  • the design of user journeys must be guided by the principle of data minimisation.

These recommendations illustrate the EDPB’s intention to make the GDPR more operational by directly targeting website architectures, customer journeys, and CRM systems.

Strengthened Effectiveness of Rights: Coordinated Action on the Right to Erasure

The EDPB has also launched a coordinated European enforcement action focusing on the right to erasure (Article 17 GDPR), involving more than thirty national data protection authorities.

This initiative pursues two main objectives:

  • harmonising control methods and interpretations across national authorities;
  • improving the practical effectiveness of a right that is still applied unevenly across sectors.

This type of action marks a significant evolution in the role of the EDPB, which is now fully engaged in the operational coordination of GDPR enforcement at the European level.

Conclusion

Recent developments confirm the transformation of the EDPB into a true pillar of European digital regulation. By clarifying the interaction between the GDPR, the DMA, and the AI Act, by issuing operational recommendations, and by coordinating the actions of national authorities, the EDPB contributes to consolidating a coherent, protective, and effective legal framework.

The GDPR thus appears not as an isolated text, but as the cross-cutting foundation of an integrated regulatory ecosystem, designed to sustainably govern digital uses, structural platforms, and artificial intelligence systems.

European Data Protection Board (EDPB), Strategy 2024–2027
DMA and GDPR: EDPB and European Commission endorse joint guidelines to clarify common touchpoints | European Data Protection Board

Read this next

See all

Personal Data Breaches: Understanding the Rise in Incidents and Managing CNIL Notification Requirements

In recent times, hardly a week goes by without the media reporting that an organization has suffered a cyberattack leading to a data breach.

Read more

DPIA: EDPB launches a European template to harmonize GDPR impact assessments

The European Data Protection Board (EDPB) has adopted a European Data Protection Impact Assessment (DPIA) template, currently open for public consultation until June 9, 2026.

Read more

CNIL 2026 Priorities: Key GDPR Compliance Areas Organizations Must Anticipate

Each year, the CNIL defines priority areas representing around 20% of its inspections. For 2026, three major topics have been identified, find out which ones.

Read more
Stay up to date on all the latest data privacy and GDPR compliance news.
Your email address will be used to send you our newsletter as well as information concerning the activity and news of DPO Consulting. You can unsubscribe at any time by clicking on the unsubscribe link in the emails. To find out more about your rights, see our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
About us
Our expertise
myDPO
Contact us
contact@dpo-consulting.com
+33 (0)1 55 06 16 86
50, Avenue des Champs-Elysées, 75008, Paris, France
Outsourced DPOInternational DPODPO AssistanceEU RepresentativeUK RepresentativeData privacy training
Clinical Trial ComplianceGDPR Compliance auditPrivacy Impact Assessments (PIA)Digital transformationMulti regulatory complianceUK GDPR, UK DPA, & DUAA
Cybersecurity Compliance
CISO as a serviceCybersecurity maturity assessmentProject support
AI Act Compliance
AI Maturity assessmentAI Act training
DPO Consulting © 2026 All Rights Reserved |
Terms of Use
|
Privacy Policy
|
Cookie Policy
|
Legal Notice
Let’s create an experience as remarkable as your business
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Main pages
CMS Pages
Utility
Templates
hi@byq.studio
@byqstudio
+1 600 600 000