Finally Here: The Digital Omnibus Proposal and Practical Implications for Organisations Through the Lens of GDPR

The European Commission’s Digital Omnibus Package Proposal (the Proposal) represents one of the most comprehensive realignments of the EU’s digital regulatory landscape since the introduction of the GDPR. This comes in addition to the changes the European Commission proposed in May 2025 under Omnibus IV.
The long-awaited text, leaked during the previous weekend and now formally published, has already prompted extensive commentary and analysis. As anticipated, the Proposal introduces a series of impactful changes that may shape how organisations manage personal data, develop and deploy AI systems, and structure compliance processes across multiple legal regimes.

Although the Digital Omnibus package is not yet law and may undergo significant revision considering early reactions, it already highlights several areas where organisations may need to adapt. The selection below focuses on the changes with the most direct impact on day-to-day compliance work from the perspective of the GDPR.

Revised Identifiability Criteria per SRB Judgment

The Proposal clarifies Art. 4 para. 1 GDPR, i.e. the definition of “personal data”, by stating that information is not to be considered personal data for a given entity when that entity does not have means reasonably likely to be used to identify the natural person to whom the information relates. This essentially codifies the approach adopted by the Court of Justice of the European Union (CJEU) in EDPS v Single Resolution Board (C-413/23 P) where an “actor-specific understanding” of personal data was applied.

It is further stated that the Commission may adopt implementing acts to specify means and criteria to determine whether data resulting from pseudonymisation no longer constitutes personal data for certain entities. This will be determined assessing the state of the art of available techniques as well as developing of criteria and or categories for controllers and recipients to assess the risk of re-identification for typical recipients.

In practice, this may narrow the scope of information treated as personal data, but only where organisations can demonstrate that re-identification is not reasonably possible. It will be important that organisations continue to involve data protection officers or privacy consultants when making these evaluations.

New Derogations for Special Category Data

The Proposal also introduces new derogations for the processing of special category data, including biometric verification under the sole control of the user; residual processing of special-category data in the development or operation of AI systems (subject to conditions).

Cookie Regime Brought Under GDPR

All personal data processing via cookies, software development kits (SDKs), and tracking technologies will be brought under the GDPR framework and will only be allowed when a user has given consent in accordance with the GDPR. Additional exemptions are also introduced, for processing personal data through such technologies without consent namely for creating aggregated information about the usage of an online service to measure the audience of such a service (where it is carried out by the controller of that such service solely for its own use )  and for maintaining or restoring the security of a service or the terminal equipment used for such service provided by the controller at the request of the data subject.

Notably, the Proposal also states that if data processing is based on consent, individuals must be able to refuse consent easily with a single-click option. If someone declines consent, the controller cannot ask for consent again for the same purpose for at least six months.

Protection Against “Revenge” DSARs

The Proposal gives data controllers the ability to reject or charge an appropriate fee for handling data-subject access requests (DSARs) where the request is not made for data-protection purposes and constitutes an abuse of the right. This may be particularly relevant for organisations facing DSARs used tactically in employment-related disputes.

Renewed Standard for Breach Notifications

The Proposal raises the threshold for notifying supervisory authorities of personal data breaches under Art. 33 para. 1 GDPR. Under the amended wording, only breaches that are likely  to result in a high risk  to individuals require notification. This marks a notable shift from the current framework, where controllers must notify unless they can demonstrate that a breach is unlikely to result in a risk. In practical terms, the burden moves from a presumption of notification to a more targeted, risk-driven approach.

The Proposal also extends the notification timeline from 72 to 96 hours and introduces a single-entry point for reporting intended to cover breach-reporting obligations under other legislation as well, including NIS2, DORA etc.

Clarity for Article 35 Required DPIAs

The Proposal requires the European Data Protection Board (EDPB) to issue EU-wide blacklists and whitelists specifying which processing operations do or do not require a mandatory data protection impact assessment (DPIA). The EDPB would also develop a common methodology for carrying out DPIAs. For organisations, this will create more consistent criteria across Member States and a clearer structure for carrying out DPIAs.

Training AI Models Recognised as a Legitimate Interest

The proposal explicitly recognises the processing of personal data for development and operation of AI models as a potential legitimate interest. This clarification follows extensive debate over the past year involving supervisory authorities and large platforms. For organisations, this means that AI-model training may be carried out on the basis of legitimate interest, subject to a documented balancing test and appropriate safeguards, allowing controllers to rely on an opt-out model rather than requiring consent. In practice, this will require organisations to update their legitimate-interest assessments, implement clear user-facing opt-out mechanisms and ensure that technical and organisational measures are in place to mitigate risks arising from model-training activities.

Conclusion

The Digital Omnibus Proposal introduces a broad set of amendments that, if adopted, would significantly affect how organisations approach data protection and AI governance. However, it is important to emphasise that the text is still at the proposal stage. Early reactions from regulators, industry groups and civil-society organisations indicate that several elements may face substantial scrutiny as the proposal enters the parliamentary negotiation process. It is therefore uncertain how much of the current wording will survive unchanged.

For organisations, the Proposal should be viewed as an indicator of future regulatory direction rather than a definitive rulebook. Monitoring the legislative process, assessing which internal practices may be affected and preparing for potential adjustments will help ensure readiness once the final text is agreed.