| Scope boundary | Start with Article 3 designation and the specific core platform service listed for the gatekeeper. The same undertaking may have DMA duties for one listed service and different treatment for another service. | Start with personal-data processing and the organisation's role in that processing. GDPR analysis does not depend on being a DMA gatekeeper. | Run the DMA scope test and the GDPR processing-role test separately before assigning controls or reusing evidence. |
|---|
| Covered actors | Article 5(2) restricts listed practices by gatekeepers: online-advertising processing of third-party-service end-user personal data, combining personal data across services, cross-using personal data across services, and signing users into other gatekeeper services to combine personal data, unless the DMA consent condition is met. | GDPR supplies the referenced meaning of consent and remains relevant to lawful personal-data processing. Do not infer wider GDPR tests from this page beyond the DMA's express references. | A consent screen for a gatekeeper may need both a GDPR privacy review and a DMA Article 5(2) review of the specific gatekeeper practice and user choice. |
|---|
| Trigger | Article 6(10) requires the gatekeeper, upon request and free of charge, to provide business users and authorised third parties with effective, high-quality, continuous and real-time access to relevant aggregated and non-aggregated data, including personal data only under the conditions stated in the DMA. | GDPR remains relevant when the data is personal data, including consent where the DMA requires end users to opt in to sharing. | Treat the API, entitlement, consent capture, data-category list, and request log as DMA evidence; link to GDPR records only for personal-data handling. |
|---|
| Core obligations | Article 6(9) requires effective portability, free of charge, for data provided by the end user or generated through the end user's activity in the relevant core platform service, including tools and continuous real-time access. | GDPR has its own data-portability right, but the DMA source grounds this page only for the DMA Article 6(9) gatekeeper obligation and its relationship to GDPR as applicable law. | Do not satisfy Article 6(9) only by pointing to a generic privacy download page; test whether the relevant CPS data, third-party authorisation flow, and continuous access requirement are covered. |
|---|
| Evidence record | Article 11 requires the gatekeeper to provide a detailed and transparent compliance report, a non-confidential summary, and at least annual updates. The Commission template asks for CPS-by-CPS and obligation-by-obligation evidence. | GDPR accountability records may support parts of the evidence, but a GDPR record alone is not an Article 11 report because Article 11 is tied to DMA Articles 5, 6, and 7. | Maintain a mapped evidence pack: CPS, DMA article, implemented measure, product or engineering change, consent or user-journey artifact, data source, indicator, owner, and linked GDPR record if relevant. |
|---|
| Timing and deadlines | Articles 5(9), 5(10), and 6(8) create DMA duties for gatekeepers around advertiser and publisher information, performance measuring tools, and data needed for independent verification of advertising inventory. | Where advertising data includes personal data or profiling, GDPR analysis remains a separate privacy workstream. The DMA sources here do not support detailed GDPR advertising tests. | Separate advertising-product evidence into DMA information-access evidence, GDPR privacy evidence, and any commercial confidentiality review. |
|---|
| Enforcement | The Commission is the DMA enforcement authority for gatekeeper obligations, designation, Article 11 reports, specification processes, and non-compliance proceedings. | GDPR enforcement is not described in detail by the DMA grounding used for this page; route privacy escalations through the organisation's GDPR governance and relevant supervisory-authority process. | Avoid penalty tables unless separately grounded. For this page, route DMA issues to the Commission-facing DMA owner and GDPR issues to privacy governance. |
|---|
| Overlap and reuse | Article 13 prohibits conduct that undermines effective compliance with Articles 5, 6, and 7 and specifically addresses making rights or choices unduly difficult or using interface design to subvert user or business-user autonomy. | GDPR review may also examine interfaces for valid consent and transparent processing, but this page only grounds the DMA anti-circumvention requirement and the DMA's references to GDPR consent. | Review consent prompts, choice screens, default settings, request forms, API access, and warning messages for both DMA effectiveness and GDPR privacy requirements where personal data is involved. |
|---|
| Practical decision rule | Start with Article 3 designation and the specific core platform service listed for the gatekeeper. The same undertaking may have DMA duties for one listed service and different treatment for another service. | Start with personal-data processing and the organisation's role in that processing. GDPR analysis does not depend on being a DMA gatekeeper. | Run the DMA scope test and the GDPR processing-role test separately before assigning controls or reusing evidence. |
|---|