Summary statistics
Overlaps: 4 · Conflicts: 0 · Gaps: 2
6 article-level crossrefs catalogued between DMA and GDPR from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.
All crossrefs between these regulations
| Article (A) | Article (B) | Type | Severity | Description |
|---|---|---|---|---|
| DMA Art 13 | GDPR Art 6 | overlap | high | [entity affected: gatekeeper] Both regulations require gatekeepers to ensure that consent for data processing is obtained lawfully and is not made more burdensome than for their own services, aligning |
| DMA Art 15 | GDPR Art 12 | overlap | medium | [entity affected: gatekeeper] DMA requires gatekeepers to publish an overview of profiling techniques, while GDPR requires controllers to provide transparent information about processing logic and sig |
| DMA Art 13 | GDPR Art 5 | overlap | high | [entity affected: gatekeeper] DMA prohibits degrading service quality for users exercising data rights, supporting GDPR's principle of fair and transparent processing and the right to withdraw consent |
| DMA Art ? | GDPR Art 22 | gap | high | [entity affected: gatekeeper] While DMA requires transparency on profiling techniques, it does not explicitly mandate the specific safeguards for automated individual decision-making (like human inter |
| DMA Art ? | GDPR Art 35 | gap | medium | [entity affected: gatekeeper] Neither the provided DMA excerpts nor the GDPR excerpts explicitly detail the Data Protection Impact Assessment (DPIA) requirements for high-risk processing, leaving a ga |
| DMA Art 11 | GDPR Art 24 | overlap | medium | [entity affected: gatekeeper] DMA requires gatekeepers to report on compliance measures, while GDPR requires controllers to implement and demonstrate appropriate technical and organizational measures, |
Overlaps explained
No conflict-type crossrefs were catalogued for this pair, but the 4 overlaps below mean a single control can be designed to satisfy both regulations at once. Plan the controls jointly to avoid duplicate effort:
- DMA Art 13 vs GDPR Art 6 (high severity) — [entity affected: gatekeeper] Both regulations require gatekeepers to ensure that consent for data processing is obtained lawfully and is not made more burdensome than for their own services, aligning with GDPR's requirement for freely given consent.
- DMA Art 13 vs GDPR Art 5 (high severity) — [entity affected: gatekeeper] DMA prohibits degrading service quality for users exercising data rights, supporting GDPR's principle of fair and transparent processing and the right to withdraw consent without detriment.
- DMA Art 15 vs GDPR Art 12 (medium severity) — [entity affected: gatekeeper] DMA requires gatekeepers to publish an overview of profiling techniques, while GDPR requires controllers to provide transparent information about processing logic and significance, both aiming for transparency in automated decision-making.
- DMA Art 11 vs GDPR Art 24 (medium severity) — [entity affected: gatekeeper] DMA requires gatekeepers to report on compliance measures, while GDPR requires controllers to implement and demonstrate appropriate technical and organizational measures, both emphasizing accountability and documentation of compliance efforts.
Which regulation takes precedence
EU law does not lay down a universal precedence rule between DMA and GDPR. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.
What this means for your compliance team
Treat the 4 overlaps as design opportunities — one control, two regulatory anchors. Treat the 0 conflicts as escalation paths to legal: the regulations themselves don't resolve them, you do, and you document the reasoning. The 2 gaps point at scenarios where one regulation is silent while the other speaks — assume the regulator who has the explicit rule will win.
Related Fontvera pages
- dma vs dora comparison
- dma vs nis2 comparison
- ai act art 17 provider obligations
- ai act art 70 commission obligations
Check your full compliance exposure with the 5-minute Fontvera diagnostic →