EU Digital Omnibus: 


First Comments


The draft EU Digital Omnibus Regulation Proposal (the 'Digital Omnibus') was released by the European Commission on 19 November 2025. Its initial aim was to simplify the compliance with several regulations for SMBs, including privacy (the 'GDPR'), but we can already see that it's not the case.


One of the key change is with the definition of personal data under GDPR Article 4. It would be revised to exclude information where the entity holding it does not have "means reasonably likely to be used" to identify the individual. The proposed definition means that pseudonymized data could fall outside of the scope of the GDPR in the hands of one entity, even if another entity could identify the individual. This could have a big impact on organizations in life sciences. But until we get clarification, we still need to consider that pseudonymised personal data falls under the GDPR.


The Omnibus would also reduce the obligation of Transparency for Data Controllers, if "there are reasonable grounds to expect that the data subject already has the information" and where "the processing is not likely to result in a high risk to the data subject," within the meaning of Article 35.


NOYB's analysis document (version 2.0 dated January 2026) states 'Only a few of the planned changes in the Digital Omnibus (e.g. rules on “consent banners”) meet the legislative objective of meaningful simplification and increase of consistency, even if also for those changes, improvements to the texts are still needed.'


Regarding scientific research, the Digital Omnibus states that  scientific research constitutes a legitimate interest within the meaning of Article 6(1)(f). This would be a big change from today, where countries like Spain, Italy, Germany and Polaornd state that the only possible legal basis for clinical research is the GDPR consent of the patient.


Regarding Data Subject Access Requests, the Omnibus The proposal would empower controllers to either reject excessive requests or to charge a reasonable fee to process them.

Regarding DPIAs, the Omnibus recommends that the EDPB releases a clear list of processings for which a DPIA is mandatory, replacing all the national lists. Also, the Omnibus is asking for a EU common DPIA template. This would clearly harmonise and simplify the job for everybody.


NOYB thinks that the Digital Omnibus might reduce the rights of data subjects for data collected for scientific research (see on page 17 of NOYB document).



FOCUS 


ON THE 


PRODUCER ROLE


EU's General Data Protection Regulation ('GDPR') states in recital 78 that "producers of products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications".


For example, the provider of a healthcare software should enable healthcare professionals to collect the consent of patients in a way that is compliant with local healthcare laws and with guidelines for electronic signatures.

Let's look at an example where a software provider caused a large data breach and was fined by a Data Protection Authority:


On 22 December 2025, the French Data Protection Authority ('DPA'), the CNIL, gave a financial penalty of 1 MILLION 700 000 EUROS to company NEXPUBLICA FRANCE.

NEXPUBLICA provides the software PCRM for managing relations with the public for social activities. 

NEXPUBLICA made a customizing error in its software, which allowed in October 2022 dozens of users to see the personal data of 14000 other vulnerable persons in the software. This personal data breach was caused by insufficient Technical Security measures for the management of role-based accesses.


In conclusion, even if a software provider doesn't provide the hosting of the software, it has a responsibility in the way the software is designed and secured.


Read the press release from the CNIL here.


To learn more on the role of Producer in the EU/EEA GDPR, contact Bertrand at b.p.lebourgeois@pharmarketing.net




Examples of Non-Compliance 


with Health Data Privacy


Data Protection Authorities ('DPAs') published several decisions related to the processing of health data in the past months.

Such decisions shed light on the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.

For each decision, we propose key takeaways: use them as ideas and guidelines for your own organisations: check that such measures are implemented at your organisation, and if not, talk to your management (or talk to us!).

Many thanks to GDPR hub NOYB and to IAPP for all this valuable information!


Austria:


Fact:


A court held that a medical diagnosis is subjective professional opinion and not factual information; the diagnosis can therefore not be subject to the right to rectification under Article 16 GDPR. Read more or edit on GDPRhub...


Takeaway:


This makes a lot of sense. By the way, if it is a factual information (for example a diagnosis device would determine with 99.999% probability that a patient has a cancer), I don't see how the patient could ask the healthcare professional to remove this information from its medical record. That said, we understand the logic of the patient who doesn't want this information to spread around and reach the ears of its neighborhood, or even worse reach its insurance company.


Belgium:


Fact:


The DPA issued warning to Medex , a federal agency for medical expertise, to ensure appropriate technical and organisational measures for the transmission of medical records after the loss and misplacement of several medical records, as well as for the failure to notify the loss of one of the records to the DPARead more or edit on GDPRhub...


Takeaway:


Privacy laws mandate that personal data breaches must be notified to the local data protection authority if you think the impact to the private life of the data subjects could be important. In addition every organisation must have appropriate Technical and Organisational Mesures ('TOMs') in place to secure and protect the personal data, especially if you transfer patient data to another organisation. Lastly, you must check that the receiving organisation complies with privacy laws BEFORE transferring the personal data.


Fact:


The DPA issued a reprimand to a hospital for failing to implement sufficient measures for managing access to electronic health records after physiotherapist accessed information on the sex of an unborn child and revealed it to the motherRead more or edit on GDPRhub...


Takeaway:


First, both GDPR and healthcare laws state that only a member of the healthcare team can access a given patient's data. 

Second, the hospital should have only given access to the physiotherapist to the patient data related to his domain. This called role-based access and is key to prevent unauthorized access to information.


Estonia:


Fact:


Two patients submitted personal data access requests to Nura OÜ, a dentist practice, to obtain copies of the final results of their treatment and the scans of their retainers. The DPA issued a warning to a controller along with an order to provide two patients with information on their medical treatment, after failing to respond to their access requestsRead more or edit on GDPRhub...


Takeaway:


Per EU/EEA privacy laws, it is mandatory to provide the personal data requested within one month. This can be extended to 3 months in total if it proves difficult to find and gether the personal data.


France:


Fact:


A court found that a patient cannot request from hospital (in this case Eaubonne Montmorency Hospital Centre) the rectification of a medical assessment since this assessment constitutes a subjective opinion. The court held that this is the case even when the controller’s diagnosis differs from subsequent diagnosesRead more or edit on GDPRhub...


Takeaway:


Same as the case that took place in Austria, see above.


Norway:


Fact:


The DPA’s appeal board upheld a NOK 1,500,000 (€132,000) fine against Argon Medical Devices for a failure to notify the DPA of a data breach in time, ruling that the 72-hour reporting period starts when a breach is discovered and cannot be delayed due to internal procedures. Argon suffered a security breach in July 2021, but notified Datatilsynet in September 2021 only. 

Argon argued that they did not need to notify the breach until they had a full overview of the incident, and this belief was reflected in their internal procedures. Read more or edit on GDPRhub...

Takeaway:


Organisations should always notify their local DPA of a personal data breach within 72 hours if they think it could be deemed as serious, or if they are unsure. Then, in a second step, and when they have performed a forensic analysis they can update the local DPA, and if needed , discuss with the DPA to evaluate if they should 1) notify the data subjects 2) put additional security measures in place.


Spain:


Fact:


On 20 February 2024, Barcelonesa de Drogas y Productos, a chemical products manufacturer, acting as the controller, notified the DPA of a personal data breach involving possible theft of credit card payment data. Barcelonesa sold products on its website. The breach involved malicious code in the e-commerce application, capturing cardholder data and sending it to an external server.
Barcelonesa had carried out no risk analysis for the payment system and had ignored an earlier warning from a data subject. The Authority considered these circumstances to demonstrate serious negligence.
Also, Barcelonesa relied on two external service providers for payment-related processing without any written data processing agreements.

Read more here: AEPD (Spain) - EXP202404934 - GDPRhub



Takeaway:


Always perform a risk assessment for personal data processings which usually attract cyberattackers; and sales via websites are known for that. In addition, it is mandatory to put appropriate strong privacy clauses in the contracts with your subcontractors who manage the selling website, and in addition to perform a vendor prequalification before engaging them. Then, it is best practice to reevaluate such vendors on a regular basis, and if you suspect something, to contact an audit, remote or onsite.


Fact:


The DPA fined hospital €1,200,000 for unlawfully deleting patient’s CDs containing medical data and for failing to comply with the principle of data protection by design and by defaultRead more or edit on GDPRhub...


Takeaway:


The hospital should have contacted the patient before putting the CDs to the bin.




FDA’s final guidance


Enhancing Participation in Clinical Trials


FDA released its final guidance, Enhancing Participation in Clinical Trials on 15 December 2025/



https://www.fda.gov/regulatory...



Brazil is an


 Adequate Country!


The European Commission and Brazil adopted mutual adequacy decisions. 

Brazil is the 16th adequate country regarding EU/EEA's GDPR.


This means organizations in EU/EEA can send freely personal data to organizations in Brazil. The data transfer will be GDPR compliant. It is not mandatory anymore to draft a Data Transfer Agreement containing the Standard Contractual Clauses from the EU Commission.


The reverse is also true: organizations in Brazil can send freely personal data to organizations in EU/EEA.


That said, the exporting organization should still check that the receiving organization complies with privacy laws. In particular it should check that the receiving organization has Technical and Organizational Security measures in place, and that all staff have been trained to privacy laws.


Read here:

EU-Brazil data adequacy agreementI


  1. Which country has been deemed as adequate by the EU Commission in January 2026?: b) Brazil 


  1. The UK new Privacy update, the DUAA introduced a new right for all data subjects:  c) Right to complain