Data Protection Requirements in Clinical Trials

Posted on July 24, 2025May 13, 2026 by Canberk Çaldemir, Data Protection Officer

Safeguarding Data Protection and Privacy in Research: Data Protection Impact Assessments and the Clinical Trials Landscape

Clinical trials form the cornerstone of biomedical progress. They provide the evidence base for new therapies, diagnostics, and medical devices, all while involving some of the most sensitive categories of personal data. In an era of increasingly decentralised studies, complex data flows, and cross-border collaboration, the governance of personal data in clinical research has become as vital as the scientific protocols themselves. This reality places data protection and in particular, the requirement to conduct Data Protection Impact Assessments (DPIAs) at the heart of ethically and legally robust trials.

Across the European Union and European Economic Area, the General Data Protection Regulation (GDPR) sets a clear expectation: where processing is likely to result in a high risk to individuals’ rights and freedoms, a DPIA is not merely advisable — it is mandatory. The processing of special category data, such as health-related information, triggers heightened scrutiny. In clinical trials, this scrutiny is more than procedural. It touches on participant autonomy, data sovereignty, and the fundamental trust between the research community and society.

This article explores the DPIA obligation in the context of clinical trials, drawing from authoritative guidance developed by Ireland’s National Clinical Trials Oversight Group (NCTOG) and supported by the Irish Data Protection Commission (DPC). It situates these responsibilities within the broader framework of EU data protection law, while also reflecting the operational realities faced by sponsors, investigators, ethics committees, and Data Protection Officers (DPOs).

A Regulatory Imperative, Not a Formality

At its core, a DPIA is a structured process that enables organisations to identify, assess, and mitigate risks associated with personal data processing. It embodies the GDPR’s principle of accountability and operationalises the concept of privacy by design. While DPIAs may take different formats depending on the nature and scale of processing, their objective remains consistent: to anticipate data protection risks before they materialise, and to document the rationale behind the chosen safeguards.

Clinical trials typically involve the systematic collection and analysis of data concerning participants’ health, genetic information, lifestyle, and sometimes even biometric or behavioural data. The processing often occurs over extended periods, involves multiple entities across jurisdictions, and uses advanced technologies such as electronic data capture systems, cloud-based trial management platforms, and artificial intelligence tools for statistical analysis or remote monitoring. Each of these dimensions amplifies the potential risk to data subjects.

Under Article 35(3) of the GDPR, a DPIA is required in situations involving the large-scale processing of special category data or systematic monitoring of individuals. These criteria are routinely met in the design and conduct of clinical trials. It is therefore essential for sponsors and sites to treat the DPIA not as a tick-box requirement, but as an embedded part of the trial planning process.

Defining Roles: Controllers, Processors and Joint Arrangements

A fundamental step in assigning DPIA responsibility is determining the role of each participating organisation. The GDPR distinguishes between data controllers, who determine the purposes and means of processing, and data processors, who act on a controller’s documented instructions.

In the clinical trial domain, the sponsor is frequently the entity that defines the protocol, determines the data that will be collected, and decides how it will be analysed. In such cases, the sponsor is clearly acting as a data controller. If the trial site which is typically a hospital or academic institution, simply follows the sponsor’s protocol and manages data on the sponsor’s behalf, it functions as a processor.

However, not all arrangements are so straightforward. Increasingly, trial sites participate in protocol design, select subsets of data to retain locally, or use the data for secondary research. Where decision-making around data processing is shared, the sponsor and site may be deemed joint controllers under GDPR (Art. 26). This designation carries specific obligations, including the need for a transparent joint controller agreement and a clear delineation of responsibilities toward data subjects.

In both the controller–processor and joint controller scenarios, the responsibility for conducting a DPIA lies with those determining the purposes and means of processing. Where roles are shared, the parties must reach a practical and lawful arrangement for completing the DPIA. The NCTOG guidance confirms that local hospital DPOs and ethics committees are not responsible for the DPIA, although they may have supporting roles or be consulted during the process.

Responsibility / Factor	Sponsor as Controller	Trial Site as Processor	Joint Controllers (Sponsor & Site)	Independent Controllers
Determines purposes and means of processing	✔️	❌	✔️ (jointly)	✔️ (separately)
Initiates and conducts DPIA	✔️	❌	✔️ (collaborative or delegated)	✔️ (each independently)
Primary accountability under GDPR	✔️	❌	✔️ (shared)	✔️ (individual)
Requires joint controller or processor agreement	✔️ (Processor Agreement)	✔️	✔️ (Joint Controller Agreement)	❌
Consults with DPO before trial begins	✔️	❌	✔️ (both)	✔️ (each separately)
Handles data subject rights	✔️	❌ (unless instructed)	✔️ (must coordinate)	✔️ (each controller)
Provides data protection notice	✔️	❌	✔️ (joint or coordinated)	✔️ (individually)
Defines legal basis and mitigates risk	✔️	❌	✔️ (shared or divided)	✔️ (each independently)

The Ethics Committee Is Not the DPO

One of the more persistent misconceptions in the clinical trial landscape is the belief that ethics committee approval substitutes for a DPIA. This confusion stems from the fact that both processes occur early in the study lifecycle and are designed to safeguard participants’ interests. However, they are fundamentally distinct.

An ethics committee evaluates the clinical rationale, safety considerations, and integrity of the informed consent process. It assesses whether the proposed research design is proportionate, scientifically valid, and ethically sound. Data protection may be mentioned, but it is not the central focus. In contrast, a DPIA scrutinises the data processing elements of the project. It examines the lawfulness of processing, the compatibility of purposes, data minimisation strategies, storage limitations, security measures, and the extent to which data subjects can exercise their rights.

The GDPR is explicit on this point. DPIA obligations exist independently of other sector-specific approvals. Ethics committees are not tasked with reviewing DPIAs, and a trial may require additional safeguards beyond those imposed by ethics boards. The distinction must be respected to ensure that data protection responsibilities are not overlooked or fragmented.

DPIAs in Practice: Timing, Consultation, and Iteration

A well-conducted DPIA begins well before the first participant is enrolled. It should form part of the initial feasibility and risk assessment stages of the trial, when data flows are being designed and operational partners are being selected. Delaying the DPIA until after key decisions are made diminishes its value and can expose the sponsor to unnecessary regulatory risk.

The GDPR encourages the consultation of a DPO where one has been appointed. In clinical research, this consultation is not only legally prudent but practically beneficial. DPOs can bring critical insights regarding data retention schedules, international transfers, lawful bases for processing under both Articles 6 and 9, and mechanisms for handling data subject rights. Where multiple jurisdictions are involved, local DPOs or legal experts may be consulted to address national derogations or ethics frameworks.

The DPIA should not be treated as a static document. Clinical trials often evolve through protocol amendments, new study arms, or technology upgrades. Each of these changes may affect the data processing landscape. Sponsors should revisit and, where necessary, revise their DPIAs in response to these developments. This iterative approach aligns with the accountability principle and positions the DPIA as a living instrument rather than a bureaucratic artefact.

Distinguishing Medical Consent from GDPR Consent

In the context of clinical trials, the concept of “consent” carries distinct legal and ethical meanings depending on the framework in which it is applied. One of the most frequent sources of confusion, both among research professionals and participants, is the assumption that informed medical consent automatically satisfies the requirements for valid consent under data protection law. However, this is not the case.

Medical or clinical consent relates to a person’s agreement to participate in a clinical trial or medical intervention. It is governed by ethical and clinical standards, typically overseen by ethics committees and national legislation. This form of consent ensures that participants understand the purpose, procedures, potential risks, and benefits of the study, and that their decision to participate is voluntary, informed, and free from coercion.

By contrast, GDPR consent is one of several legal bases available for processing personal data under Article 6 of the General Data Protection Regulation. When special category data such as health information is involved, as it nearly always is in clinical trials, Article 9 also applies, requiring a separate condition to legitimise processing. GDPR consent is defined by a strict set of criteria: it must be freely given, specific, informed, unambiguous, and capable of being withdrawn at any time, without detriment.

These differences have practical consequences. While informed consent is ethically indispensable for trial participation, it may not always be the appropriate or reliable legal basis for processing personal data under GDPR. This is especially true in scenarios where the data processing is essential to comply with legal obligations, to perform a task in the public interest, or to fulfil the sponsor’s legitimate interests, provided that such interests are not overridden by the rights and freedoms of the participant.

Moreover, GDPR consent must be separable from clinical consent. Participants must be able to decline or withdraw their data processing consent without necessarily withdrawing from the trial itself, which is not always feasible in practice. As a result, many sponsors and ethics boards prefer to rely on alternative lawful bases such as public interest in the area of public health or scientific research purposes under Article 9(2)(j), supported by appropriate safeguards such as pseudonymisation, data minimisation, and robust governance controls.

Ultimately, it is crucial to treat medical and data protection consents as distinct instruments serving different legal and ethical purposes. DPIAs offer a valuable opportunity to document this distinction, justify the choice of lawful basis for data processing, and ensure that participant-facing materials clearly explain the difference. This approach not only enhances compliance but also reinforces transparency and respect for the individuals at the heart of the research.

Documentation, Transparency and Responding to Challenges

The value of a DPIA lies not only in its risk analysis but also in its documentation. Regulatory authorities may request evidence that the DPIA was completed and that appropriate mitigation measures were implemented. In high-risk cases where the DPIA indicates that the processing would still result in significant residual risks, the controller must consult the relevant supervisory authority before proceeding. While such consultations are rare in clinical trials, sponsors must be prepared to demonstrate that they considered the option if applicable.

Transparency is equally important. While the DPIA itself is not typically published, its outcomes may be summarised in participant information leaflets or data protection notices. These summaries should strike a balance between accessibility and accuracy, enabling participants to understand how their data will be used, protected, and governed.

Responding to data subject requests whether for access, rectification, or objection is another area where the DPIA can prove useful. It should outline the procedures for managing such requests, especially where joint controller arrangements are in place. Clarity on responsibilities can help avoid delays and ensure consistent communication with participants.

Supervisory Oversight: Ireland’s DPC and Broader EU Implications

The NCTOG guidance, reviewed and approved by Ireland’s Data Protection Commission, offers a structured and practical interpretation of DPIA responsibilities in clinical trials. While it reflects the Irish regulatory environment, its core principles are aligned with guidance from the European Data Protection Board (EDPB) and are applicable across the EU.

Sponsors operating multinational trials should be alert to national variations in ethics oversight, data protection enforcement, and health legislation. Some Member States impose additional conditions on processing health data, particularly in the context of public health or scientific research. These conditions may affect the DPIA content or consultation processes. Engaging with local DPOs and legal counsel is therefore essential in cross-border settings.

From a regulatory risk perspective, supervisory authorities increasingly expect organisations to demonstrate not only formal compliance but substantive accountability. A DPIA that is generic, outdated, or disconnected from operational practice will not withstand scrutiny. Conversely, a well-reasoned and evidence-based DPIA can serve as a shield in the event of complaints or inspections.

Looking Ahead: Embedding DPIAs in Research Culture

The ultimate goal of data protection law is not to obstruct research but to enable it in a way that respects the dignity and autonomy of individuals. In this sense, DPIAs are not a burden but a tool of empowerment. They prompt researchers to consider the ethical and legal dimensions of data use at every stage of the trial. They foster interdisciplinary collaboration between scientific, legal, and technical teams. They provide transparency and reassurance to participants who entrust their data to the research enterprise.

For sponsors and investigators, this means moving beyond minimal compliance and toward a culture of proactive privacy management. For DPOs, it means engaging with research teams early and often, providing pragmatic advice that supports both innovation and data protection. For oversight bodies and ethics committees, it means clarifying their respective roles and encouraging alignment across governance processes.

As the clinical trials landscape becomes more digital, decentralised, and data-driven, the importance of DPIAs will only grow. By investing in robust, context-sensitive DPIAs, the research community can strengthen its social license, mitigate legal risks, and uphold the foundational values of trust, transparency, and respect.

XpertDPO submission for Implementation Dialogue on the application of the General Data Protection Regulation

Posted on July 9, 2025May 13, 2026 by XpertDPO Editorial Team

Please see written contributions below on the requested topics:

Further simplification/reduction of administrative burden

What are your views on possible further simplification of the GDPR, going beyond the recent Commission’s proposal to simplify the record keeping obligations?

While we support efforts to ease the administrative burden on organisations, we do not believe that further simplification of the General Data Protection Regulation (GDPR) itself is the appropriate route. The text of the Regulation provides a robust and flexible framework for data protection across the Union. The key challenge lies not in the complexity of the law per se, but in its practical implementation by data controllers and processors of varying sizes and resources. Meaningful simplification should focus on practice, not principle. This could be achieved through the provision of standardised, practical tools and implementable guidance at EU level.

While the GDPR is designed to be scalable, in practice smaller organisations and public bodies often struggle with resource constraints. Practical simplification efforts should be targeted at making compliance achievable for these groups without compromising the rights of individuals. Toolkits designed specifically for these organisations such as model RoPAs, sample DPIA templates, or pre-assessed processing scenarios could provide substantial relief. For example, providing a master RoPA template, endorsed by the EDPB, with common entries for high-risk areas (e.g. HR, marketing, finance) would be a major step forward. These could be expanded upon where necessary but would offer a clear and accessible starting point for all organisations — particularly SMEs. Similarly, organisations would benefit greatly from harmonised EU-level guidance on the use of threshold assessments as a preliminary step to determine whether a full DPIA is required and standardised templates for both risk assessments. Clear, consistent, and accessible interpretation of these processes would significantly reduce uncertainty and improve compliance, particularly among SMEs and public bodies.

We strongly disagree with the suggestion that reducing the scope of the Record of Processing Activities (RoPA) obligations would meaningfully simplify compliance. On the contrary, the RoPA serves as a foundational accountability and compliance instrument. It is an essential resource for understanding and managing data flows, enabling organisations to respond effectively to data subject access requests, security incidents, and audits. Without it, organisations risk operating without a clear overview of what personal data they hold, where it resides, to whom it pertains, and with whom it is shared — ultimately increasing, not reducing, the administrative burden when issues arise.

Rather than removing or limiting RoPA obligations, as proposed, we believe there is a need to support their fulfilment through structured templates, training, and sector-specific guidance. Cutting RoPA requirements would ultimately backfire; organisations that lack a comprehensive understanding of what data they hold, where it resides, and how it is processed are less equipped to manage DSARs, breaches, and DPIAs. This would increase, not decrease, administrative burden in the long run.

We also caution against any approach that determines RoPA obligations based on organisational size or staff numbers. Such a threshold is not reflective of actual data protection risk and runs counter to the GDPR’s fundamental principle of a risk-based approach. A small organisation may process highly sensitive or large volumes of personal data, while a larger organisation may carry out limited low-risk processing. Compliance requirements should be based on the nature, context, and scope of processing — not arbitrary metrics. We note that the proposed amendment would still require an organisation to hold a RoPA where there the processing is likely to result in a high risk but this will be open to interpretation by controllers and supervisory authorities potentially creating more confusion and inconsistency.

A RoPA is essential for making informed, risk-based compliance decisions. Without it, a DPO cannot assess processing risks or recommend appropriate technical and organisational measures (TOMs). It also underpins the practical implementation of other key requirements, such as data minimisation, storage limitation, and security.

Clarity is also needed on how any proposed simplification of record-keeping obligations would impact the role of Article 27 EU Representatives, given that maintaining access to the RoPA is one of their core legal responsibilities under the GDPR. Without a RoPA, the EU Representative role is hollow, as they lack a foundational tool to respond to data subject inquiries or regulator requests. This raises questions about whether that function will remain fit for purpose.

The solution is not to strip back core accountability tools, but to make them easier to implement. Practicality, not deregulation, should be the goal. With appropriate templates, guidance, and training, even smaller organisations can maintain a RoPA and carry out meaningful DPIAs — both of which are critical to embedding risk awareness and sustainable compliance across the EU digital ecosystem.

Which targeted amendments would potentially appear useful to reduce administrative burden of controllers and processors, while maintaining the GDPR’s risk-based approach and ensuring the high level of data protection?

As stated in our response to question (a), the path to reducing administrative burden lies not in undermining key compliance mechanisms, but in identifying practical and proportionate adjustments. A clear example of this is the significant burden posed by the growing misuse of data subject access requests (DSARs). While we fully recognise the importance of the right of access as a core pillar of data protection law, it is increasingly evident that the mechanism is being misused by some individuals in ways that diverge from its original intent. Organisations are often required to expend considerable time and resources in responding to access requests that are not driven by a genuine desire to understand or verify the use of one’s personal data, but rather serve as a means to harass, disrupt, or apply pressure.

To address this, we recommend a targeted amendment to Article 12 or Article 15 of the GDPR to introduce a clearer and more practical exemption for manifestly vexatious or abusive DSARs. Article 12(5) GDPR currently provides for the refusal of requests that are “manifestly unfounded or excessive.” However, the interpretation of this provision remains uncertain and inconsistently applied across Member States. Interpretation remains open-ended and is largely determined by context, case law, and regulator guidance — all of which lack legal certainty and consistency.

The addition of a clear exemption for vexatious requests would help reduce the disproportionate administrative burden that comes with these requests in the absence of any genuine data protection benefit. The UK FOIA provides a well-developed and regulator-tested framework for identifying and managing vexatious requests. A similar structured approach — including a non-exhaustive set of indicators and regulator oversight — could be adapted to data protection, offering clarity for organisations while preserving individuals’ rights through meaningful recourse mechanisms. The UK’s Information Commissioner’s Office (ICO) has developed extensive guidance on how to identify such requests, taking into account factors such as the burden on the organisation, repetitiveness, intent to disrupt, or absence of serious purpose. This approach recognises that upholding fundamental rights must also be balanced against the need to protect organisations from malicious or obstructive behaviours that undermine effective governance.

Importantly, any such exemption must be paired with a recourse mechanism for data subjects, ensuring that if a request is refused, the individual retains the right to complain to the competent supervisory authority. The authority should then have the power to review the decision and, where appropriate, compel the organisation to comply. This maintains a high level of data protection while guarding against abuse of the system.

It is essential to underscore that compelling organisations to process vexatious or abusive access requests does not enhance compliance or improve data protection practices. Instead, it diverts valuable resources from genuine data governance activities and can undermine the overall efficacy of an organisation’s privacy programme.

A comparable, well-defined framework under the GDPR for managing abusive or vexatious data subject access requests would provide much-needed clarity and consistency for data controllers, reduce administrative overhead, and enhance the practical effectiveness of data protection compliance — without undermining the rights of genuine data subjects. We believe this is a proportionate and targeted solution that respects the principle of accountability while aligning with the Regulation’s risk-based approach.

Increasing legal certainty, reducing fragmentation, and further harmonising enforcement

What are the measures you would consider useful to increase legal certainty, to reduce the fragmentation in the application of the GDPR, and to further harmonise its enforcement?

A critical measure for increasing legal certainty and reducing fragmentation would be to provide greater clarity and interpretive consistency on provisions that are currently open-ended, such as the treatment of “manifestly unfounded or excessive” requests under Article 12(5) GDPR. As noted in our response to the previous question, the lack of precise, harmonised guidance on when a data subject access request (DSAR) may be considered manifestly unfounded and excessive and how this could encompass abusive or vexatious requests is left open to interpretation by controllers and national supervisory authorities and results in divergent practices across Member States. Some supervisory authorities interpret these provisions narrowly, obliging controllers to respond to requests even in clearly disruptive circumstances, while others apply more practical thresholds.

This inconsistency creates uncertainty for organisations operating in multiple jurisdictions and undermines the Regulation’s foundational principle of legal predictability. It also dilutes the effectiveness of the GDPR’s risk-based approach, by forcing organisations to expend resources responding to requests that do not meaningfully advance data protection objectives.

To address this, we strongly recommend that the European Data Protection Board (EDPB), in cooperation with national supervisory authorities, develop and adopt practical guidance on the application of Article 12(5), including illustrative criteria for identifying vexatious, excessive, or manifestly unfounded requests, as well as a model response protocol for handling and documenting such DSAR refusals. This would assist controllers and streamline regulatory oversight.

More broadly, the EDPB should coordinate the development of harmonised operational tools, including:

Baseline RoPA templates applicable across sectors and risk levels, which could be tailored by industry associations;
DPIA templates and threshold assessment frameworks that reflect common criteria for risk evaluation;
Sector-specific guidance developed in collaboration with industry, regulators, and civil society.

In addition, we support further expansion of the Consistency Mechanism under Chapter VII of the GDPR, not only for high-profile cross-border cases but also for interpretive matters that have wide operational impact. Increased use of joint EDPB initiatives, including binding guidelines where appropriate, would mitigate fragmentation and help ensure that enforcement is applied evenly, fairly, and predictably across the Union.

Finally, it is essential that resourcing of supervisory authorities be addressed at the EU level. Disparities in enforcement capacity and expertise between Member States perpetuate fragmented outcomes. Dedicated EU funding or coordination mechanisms could help elevate baseline regulatory capability and foster greater alignment.

Legal certainty and harmonised enforcement will only be achieved through a shared commitment to practical convergence — not only through the letter of the law, but through common operational standards, interpretive unity, and cooperative oversight.

Facilitating compliance with GDPR

What are your views on the various tools under the GDPR, e.g codes of conduct and certification, that could be exploited to facilitate compliance with the GDPR

Codes of conduct and certification mechanisms have strong potential to support structured, risk-based compliance with the GDPR. However, their use remains limited due to procedural barriers and a lack of clear, practical guidance.

Codes of conduct, in particular, offer a valuable framework for promoting ongoing best practice, accountability, and sector-specific governance. A master code of conduct developed at EU level — and adapted by industry associations for specific sectors — could provide a harmonised baseline, reduce fragmentation, and ensure more consistent uptake across Member States. This should be accompanied by regulatory guidance on drafting and implementing sectoral codes, with flexibility to accommodate different organisational sizes and risk profiles.

We believe the approach to codes of conduct should be simplified and made more scalable, following a model of graduated self-governance, similar to what is already seen under frameworks like the NIS2 Directive. In that model, organisations are responsible for ensuring compliance through internal governance structures, with external scrutiny only triggered in the event of a breach or incident.

Another option is to introduce a tiered model that distinguishes between self-attested codes — where organisations align with a sectoral code and maintain internal records of adherence. These would operate on a trust-and-monitor basis, where compliance is presumed unless breached — and verified codes that are subject to external certification or audit, potentially through a designated monitoring body or independent assessor, for organisations that wish to obtain formal assurance or demonstrate enhanced compliance. This model would allow flexibility and encourage broader participation while maintaining enforceability where needed.

While we acknowledge the intent behind the GDPR certification mechanism and recognise the potential value of certifications in sectors like cloud providers, we do not believe that a general GDPR certification offers significant value to most organisations or to the public. In practice, GDPR certifications are not widely understood or recognised by the public, and their relevance in day-to-day compliance decision-making is limited. In our experience, codes of conduct provide greater real-world utility, particularly because they can be tailored to the specific operational realities of different sectors and encourage continuous best practice. Sectoral codes allow for the development of practical, meaningful standards that reflect the nuanced challenges faced by different industries, and as such, offer a more accessible and impactful route to promoting sustained, risk-based compliance.

What challenges have you faced in relation to the use of such tools and what solutions would you propose to address these challenges?

The primary challenges with both codes of conduct and certification mechanisms are procedural complexity, limited accessibility, and unclear practical benefits — particularly for smaller organisations.

For codes of conduct, the requirement to designate a code owner, a monitoring body (unless public sector), and go through a formal approval process is overly onerous. Sector associations often lack the resources or expertise to navigate these requirements, which discourages participation. Furthermore, the absence of clear EU-level templates or examples has led to confusion and inconsistent implementation.

To address this, we propose:

A graduated model (self-attested vs. verified codes) to encourage wider adoption;
An EU-endorsed master code with sector-specific adaptations;
EU-level guidelines for development and implementation, including the role of industry bodies and DPOs;
The ability for organisations to self-monitor, with regulatory oversight triggered only in case of breach or complaint.

In terms of GDPR certification, there is limited visibility into how certification translates into regulatory benefit. Certification is viewed as inaccessible to many organisations and offering unclear value beyond reputational optics. Compounding this is the lack of public awareness or understanding of what certification signifies. For most individuals, GDPR certification does not meaningfully influence trust or decision-making, as the schemes are not widely recognised or communicated in an accessible way.

To improve the effectiveness and uptake of certification mechanisms, there should be greater clarity on their regulatory relevance — for example, whether certified status may be considered a mitigating factor in enforcement or an indicator of accountability. In parallel, increasing public visibility and trust in certification could be achieved through centralised EU-endorsed registers, public education campaigns, and standardised trust marks that clearly signal what certification entails. Without these efforts, certification risks remaining a symbolic or siloed exercise rather than a practical compliance tool.

Clarifying the articulation with other digital legislation

Is there a need to further clarify the interplay of the GDPR with other EU digital legislation?

Yes, we believe there is a need for clearer communication and guidance on how the GDPR interacts with other EU digital legislation — particularly to dispel concerns and perceived complexity among smaller organisations.

In practice, the interplay between the GDPR and instruments such as the AI Act, Data Act, and Digital Services Act will have the greatest operational impact on larger enterprises and high-risk sectors. However, among SMEs and public sector bodies, there is a growing perception that the expanding digital regulatory framework will significantly increase their compliance burden, even where their obligations under other laws may be limited or indirect.

This perception of complexity can be as damaging as actual regulatory overlap. It may deter organisations from engaging confidently with compliance requirements, particularly where they lack the legal or technical capacity to interpret how multiple frameworks interact. Many simply want to know: “Does this change what I need to do under GDPR?”

To address this, we recommend the European Commission and EDPB provide:

Clear, accessible guidance on how emerging digital legislation intersects with the GDPR;
Side-by-side comparisons or visual mapping tools showing areas of overlap, complementarity, or separation;
Practical case studies to illustrate typical compliance responsibilities by sector or organisation type.

This would help reduce unnecessary apprehension, support proportionate implementation, and allow organisations — especially SMEs — to focus on the obligations that actually apply to them. Strengthening understanding, rather than adding layers of regulation, is key to supporting sustainable data governance across all sectors.

Can you provide some specific examples of provisions for which the interplay of the GDPR and other digital legislation has appeared to be challenging?

The interplay between the GDPR and the ePrivacy Directive has been complex due to overlapping scopes, inconsistent enforcement, and fragmented implementation across the EU. While the GDPR provides a unified framework for personal data protection, the ePrivacy Directive governs specific areas like cookies and electronic communications, often requiring stricter consent standards. This has created confusion, particularly around the legal basis for processing, e.g. where the GDPR allows legitimate interest, the ePrivacy Directive may demand explicit consent. The standard for obtaining valid consent evolved with the introduction of the GDPR, requiring consent to be freely given, specific, informed, and unambiguous. This higher standard conflicted with earlier interpretations under the ePrivacy Directive, leading to uncertainty about what constitutes valid consent in contexts like cookie usage and electronic marketing.

Enforcement also differs as the GDPR relies on centralised data protection authorities, while the ePrivacy Directive may involve multiple regulators per Member State, leading to fragmented oversight. As a directive, ePrivacy has been implemented differently across Member States, adding further complexity for cross-border organisations. Although the EDPB has issued opinions on the interplay, practical guidance remains limited, reinforcing the need for harmonisation and clearer communication.

Similar issues are foreseen in the interplay between the GDPR and the AI Act. For example, biometric data is defined differently under both laws and they regulate biometric data in different ways, which creates confusion for organisations attempting to comply with both frameworks. Under the GDPR, biometric data is treated as a special category only when it is used to uniquely identify an individual, triggering stricter processing conditions. In contrast, the AI Act focuses on the use of biometric systems themselves, particularly real-time identification and surveillance, which are classified as high-risk or even prohibited in certain contexts. This difference in focus — one on the nature of the data, the other on its use — leads to uncertainty about which obligations apply in practice and whether both frameworks must be followed concurrently. Greater clarity is needed to reconcile these definitions and provide consistent guidance for organisations developing or using biometric technologies.

These examples reinforce the need for structured, accessible comparative materials and a focus on inter-regulatory coherence. As the digital legislative landscape continues to evolve, ensuring that GDPR remains the anchor point — while clearly articulating how it connects with other instruments — will be critical for sustained, effective compliance.