News
February 12, 2026
News, GDPR

Key points of the Digital Omnibus in terms of privacy

Discover the main changes introduced by the Digital Omnibus to update and harmonize the GDPR: personal data, AI, cookies, and more.

The European Commission has promoted a new phase of adjustment to the digital regulatory framework through the proposal of the well-known Digital Omnibus, an initiative that does not question the level of protection provided by the GDPR, but rather seeks to make it more operational and consistent in practice, reducing unnecessary administrative burdens and strengthening the legal certainty of organizations in an increasingly complex and technologically advanced digital environment.

The most significant changes are listed below:

  • Concept of personal data
    • It clarifies when information should be treated as "personal data." It will only be considered as such if it can actually be used to identify someone. If it does not reveal who the person is, it will not be necessary to apply all the GDPR rules.
  • Principle of purpose limitation
    • Data collected for a specific purpose may be reused for scientific research, statistical purposes, or archiving, provided that measures are taken to protect individuals, such as concealing identities or using only the data that is strictly necessary.
  • Exceptions for the processing of special categories of data
    • Sensitive data has strict protections, but there will be two very specific exceptions:
      • They may be used to train artificial intelligence systems, but only in a limited way and with very strict measures.
      • They may be used to verify identity through biometrics, provided that the person retains control of the process.
  • Duty to inform
    • Companies must always report how they use data, but the Digital Omnibus allows for flexibility in this obligation when the risk is low and the information is already known to the individual. However, this flexibility does not apply when there are international transfers, automated decisions, or processing that may generate a high risk. In research, flexibility may also be allowed when reporting on a one-to-one basis is impossible or disproportionate.
  • Automated decisions
    • The permitted cases are not expanded, but it is clarified that a decision may be "necessary for a contract" even if a manual alternative exists, providing greater legal certainty.
  • Security breaches
    • Notification will only be mandatory when there is a high risk probability, with an extended deadline of 96 hours and a future one-stop shop integrated with cybersecurity.
  • Impact assessments
    • Progress towards European harmonization of criteria. There will be single lists of treatments, methodology, and common templates, reducing the current fragmentation.
  • Cookies and Similar Technologies
    • The system is integrated into the GDPR: clearer consent, one-click opt-out, and respect for technical privacy preference signals.
  • Artificial intelligence
    • Legitimate interest is recognized as the legal basis for training artificial intelligence systems, with measures to ensure data minimization, transparency, and the right to object.
PKF Attest
Powered by GDPR Cookie Compliance
Privacy summary

This website uses cookies so that we can provide you with the best possible user experience. Cookie information is stored in your browser and performs functions such as recognizing you when you return to our site or helping our team understand which sections of the site you find most interesting and useful.