INFOGRAPHIC
Digital Markets Act: Mapping the Interplays with the GDPR
This resource maps the interplays between the Digital Markets Act and the GDPR.
Published
Contributors:
Müge Fazlioglu
CIPP/E, CIPP/US
Principal Researcher, Privacy Law and Policy
IAPP
This infographic is part of a series that maps different EU digital laws with the GDPR.
The Digital Markets Act applies to the core platform services of designated gatekeepers, which may also qualify as controllers or processers under the EU General Data Protection Regulation, creating numerous points of intersection between the two laws. In many ways, the DMA complements the GDPR by fostering end users’ control and choices over the processing of their personal data, strengthening protection for the integrity and confidentiality of that data and reinforcing the rights to data portability and data access for end users and business users.
This resource, drawing from the EU Digital Laws Report 2025, maps interplays between the DMA and the GDPR.
The IAPP additionally hosts a Digital Markets Act: 101 chart, which is part of a European Strategy for Data series, which provides an overview of EU privacy, cybersecurity and AI legislation.
Digital Markets Act and GDPR interplay mapping
Digital Markets Act
- Article 5(2)
Gatekeepers are prohibited from processing, combining and cross-using personal data collected via their core platform services for certain purposes (e.g., providing online advertising).
GPDR
- Articles 4(11), 6(1)(a), 6(1)(c-e) and 7
Exceptions to these prohibitions include providing a choice to and obtaining consent from end users or if there is a lawful basis for processing under GDPR Article 6(1)(c-e).
Digital Markets Act
- Article 6(4)
Gatekeepers must allow and technically enable the installation and effective use of third-party software applications or app stores through means other than the relevant core platform services of the gatekeeper while ensuring end users’ security.
GPDR
- Articles 5(1)(f), 5(2), 24-25 and 32-34
While meeting requirements under DMA Article 6(4), gatekeepers must adopt appropriate technical and organizational measures and demonstrate compliance with their obligations related to the processing of personal data, data protection by design and by default, and integrity and confidentiality in relation to personal data. Gatekeepers must also enable the effective handling of personal data breaches.
Digital Markets Act
- Article 6(9)
Gatekeepers must, upon request and free of charge, provide end users (and any authorized third parties) the right to portability of data provided by or generated by the activity of the end user.
GPDR
- Articles 20 and 28(3)
Unlike GDPR Article 20, DMA Article 6(9) applies irrespective of the lawful ground on which the gatekeeper processed personal data and requires gatekeepers to provide continuous, real-time data portability.
Digital Markets Act
- Article 6(9)
Portability requests initiated by end users (and any authorized third parties) may involve international transfers of personal data.
GPDR
- Articles 4(11), 7, 45 and 49(1)(a)
In accordance with GDPR Article 45, gatekeepers may not restrict data portability requests involving the transfer of personal data outside of the European Economic Area to a third country recognized by a European Commission decision as providing an adequate level of data protection. For portability requests to other countries, gatekeepers should seek end users’ explicit and specific consent after informing them of the possible risks of such transfer, meeting the meaning and requirements of consent in GDPR Article 4(11) and Article 7.
Digital Markets Act
- Article 6(10)
Gatekeepers must, upon request and free of charge, provide business users (and any authorized third parties) continuous and real-time access to data, including personal data, provided or generated by the business user or by end users engaging with the business users’ products or services in the context of the use of the gatekeeper’s designated core platform services.
GPDR
- Articles 4(11), 5(1)(c), 6(1)(a, c) and 7
When the personal data of end users is involved, the sharing of data under DMA Article 6(10) may only take place if the business user obtains the end user’s prior consent and complies with the data minimization principle under the GDPR.
Digital Markets Act
- Articles 6(10) and 13(5) and Recital 60
Gatekeepers have an obligation to provide mechanisms that enable business users to obtain the consent of their end users for access and retrieval required by Article 6(10).
GPDR
- Articles 4(11), 5(2) and 7
Gatekeepers should ensure that such a consent mechanism conforms with the meaning and requirements of consent as well as the accountability principle under the GDPR.
Digital Markets Act
- Article 6(11) and Recital 61
Gatekeepers have an obligation to provide online search engines with access to the ranking, query and click and view data related to free and paid searches generated by end users with any personal data contained therein anonymized.
GPDR
- Article 4(1) and Recital 26
In line with GDPR Article 4(1) and Recital 26, gatekeepers should ensure end users’ personal data is protected against the risk of reidentification by anonymization without significantly degrading the quality or usefulness of the data.
Digital Markets Act
- Article 7
Gatekeepers that provide number-independent interpersonal communication services are required, upon request and free of charge, to provide interoperability via necessary technical interfaces or similar solutions to other providers of number-independent interpersonal communication services.
GPDR
- Articles 5(1)(b-c) and 35
Gatekeepers should only process personal data that is strictly necessary to provide effective interoperability in adherence with the GDPR’s data minimization and purpose limitation principles. Under GDPR Article 35, gatekeepers are also likely to need to carry out a data protection impact assessment to implement their interoperability obligations.
Digital Markets Act
- Articles 5(2), 15, 36(3) and 37 and Recitals 37 and 12
The enforcement framework of the DMA is without prejudice to and remains fully applicable with respect to claims by data subjects relating to any infringement of their rights under the GDPR. Cooperation and coordination between the Commission, European Data Protection Board and national data protection supervisory authorities are explicitly required by both Union law and the DMA.
GPDR
- Article 4(16)
When a gatekeeper has a “main establishment” within the meaning of GDPR Article 4(16), then the relevant lead supervisory authority should be the interlocutor of the Commission in cases where cooperation and coordination of enforcement is required. In particular, consultation would be required where the Commission seeks to examine whether a gatekeeper’s conduct complies with the DMA and also needs to examine that same conduct’s consistency with the GDPR, and conversely, where a national data protection authority examines whether a controller’s or processor’s conduct complies with the GDPR and must also assess that conduct’s consistency with the DMA.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Submit for CPEsContributors:
Müge Fazlioglu
CIPP/E, CIPP/US
Principal Researcher, Privacy Law and Policy
IAPP
Tags:
