Draft Amendments to the GDPR: European Commission Proposals on Reforming Personal Data Regulation
On 19 November 2025, within the framework of the Digital Omnibus initiative, the European Commission presented a draft of amendments to Regulation (EU) 2016/679, known as the General Data Protection Regulation (hereinafter — the GDPR).
Previously, we provided an overview of the European Commission’s proposals to amend the EU AI Act; however, this time we will examine the systemic changes proposed to the GDPR and how they may affect companies’ activities in the field of personal data.
1. Additions to the Definition of “Personal Data”
Under the current interpretation of the GDPR, personal data refers to any information enabling the identification of a data subject (Article 4 GDPR).
However, the proposed amendments revise this approach: information will not be regarded as personal data for a legal entity if that entity does not have means which can reasonably likely be used to identify the natural person to whom the information relates.
In other words, information will not qualify as personal data if the entity cannot identify the relevant data subject taking into account “reasonably available means” of identification.
Pseudonymised Data
The amendments also affect the legal regime applicable to pseudonymised data:
-
the European Commission will be empowered to establish criteria for assessing whether such data should be considered personal data for specific categories of organisations;
-
where a company applies approved techniques and can demonstrate the impossibility of re-identification, such data may, in certain cases, cease to be classified as personal data.
2. Incorporation of Provisions on Artificial Intelligence
Previously, the GDPR scarcely regulated data processing in the context of AI (with the exception of Article 22). The current draft amendments aim to align the GDPR with the EU AI Act.
Key Proposals of the European Commission
The European Commission has introduced a number of proposals intended to clarify the circumstances under which personal data may be processed for AI-related activities:
-
The insertion of a new Article 88(c) into the GDPR, which would allow developers of AI systems and models to lawfully rely on legitimate interest as a legal basis for processing personal data in the context of AI development and use. Such processing must, however, be carried out subject to appropriate organisational and technical measures, as well as safeguards for the rights and freedoms of data subjects.
-
Amendments to Article 9 GDPR on the processing of special categories of personal data. The new provisions prohibit the use of special categories of data for the development and operation of systems.
Controllers will be required to:
- identify such data within datasets used for training, testing and validation;
- delete them once detected;
- document the measures taken.
3. Easing and Harmonisation of Certain Data Protection Obligations
The European Commission proposes revising several practical data protection obligations, including data subject access requests (hereinafter — DSARs), personal data breach notifications, and data protection impact assessments (hereinafter — DPIAs).
-
With regard to DSARs, controllers will be granted the right to refuse to respond to a request or to charge a reasonable fee where a data subject abuses their rights for purposes unrelated to the protection of their data. However, the scope of this exception remains undefined.
-
With regard to personal data breach notifications:
-
a higher threshold will be established for notifying supervisory authorities (only where a breach “may result in a high risk to the rights and freedoms of natural persons”);
-
the notification period will be extended from 72 to 96 hours. The development of a standardised notification form, as well as a list of circumstances constituting “high risk”, will be entrusted to the European Data Protection Board (hereinafter — the EDPB);
-
a single-entry system for submitting incident notifications will be introduced.
-
-
With regard to DPIAs, requirements will be harmonised: the EDPB will compile uniform lists of processing activities that do or do not require a DPIA, and will also develop a standard template and methodology for conducting DPIAs.
Thus, the GDPR amendments are aimed at harmonising and simplifying data protection requirements, as well as standardising approaches to personal data protection across EU Member States.
The full text of the draft GDPR amendments is available via the link.
Authors: Liudmila Yepikhava, Aliaksandra Mahlysh.
Should you have any questions, the REVERA legal team is ready to provide consultations on personal data protection and AI regulation in accordance with GDPR requirements.
Contact a lawyer for further information
Contact a lawyer