The Digital Omnibus: A quick glance at the GDPR impact

• Easier data sharing and pseudonymisation for analytics and R&D.
• Controllers must document identifiability assessments.
  • Risk of inconsistent interpretations by DPAs.

The proposal adds two (2) new exemptions to Article 9 (2) GDPR:

• biometric verification under the exclusive control of the data subject: the processing of biometric data is permissible when required to confirm identity, provided both the biometric information and verification mechanisms remain exclusively under the individual’s control (e.g., secure on-device authentication); and
• residual processing of sensitive data during AI development and operation: AI developers may process inadvertently captured sensitive data if robust mitigation measures are implemented.

• Enables privacy-preserving biometric verification (e.g., passwordless logins, on-device ID checks).
• Ensures legal certainty for AI training and testing, even with incidental sensitive data.
• Maintains strict requirements for governance, documentation, filtering, and mitigation.

• Helps combat litigation-driven or commercial misuse of DSARs.
• Controllers still bear the burden of proof.
• High-volume DSAR environments (transport, fintech, platforms, retail) benefit the most.

• the controller - data subject relationship is clear and circumscribed;
• the processing is not data-intensive; and
• it is reasonable to assume that the data subject already has the key information.

This limited information obligation is subject to carve-outs (third‑country transfers, onward disclosures, automated decision making, high-risk).

• Supports AI-driven onboarding, credit scoring, verification, and fraud analysis.
• Still requires safeguards, transparency, and human-review possibilities.

• Notification duty arises only for breaches likely to result in a high risk (aligned with duty to notify data subjects).
• Notification deadline extended to 96 hours.
• All notifications must be made via a single EU entry point.
• Harmonised notification template to be prepared by the EDPB.

• Fewer low-risk/no-impact notifications.
• Better alignment across GDPR, NIS2, DORA, CRA reporting.
• Organisations must update incident response procedures and timelines.

• Could significantly expand data-sharing possibilities.
• Provides a structured risk-based method for pseudonymisation assessments.

• Cookie/terminal equipment rules become part of the GDPR.
• New consent exemptions for low-risk purposes.
• Standards for the interpretation of machine-readable indications of data subjects’ choices.

• Major shift in cookie management and AdTech models.
• Reduced reliance on banners once automated signals are widespread.

Processing personal data for AI system/model development may rely on legitimate interests under Art. 6 (1) (f) GDPR, provided:

• no overriding rights/interests (especially for children); and
• enhanced safeguards are implemented (data minimisation during source selection, training, testing, protections against residual disclosure, enhanced transparency, unconditional right to object).

• Creates a structured path for AI training and deployment.
• Aligns with the AI Act.
• Expect scrutiny on minimisation and opt-out mechanisms.