Data Protection

DMA 2026: Commission Limits Data Access in Investigations Against Large Platforms

E
Equipo Editorial CambiosLegales
03 Jul 2026 7 min 0 views

Key data

RegulationCommission Decision (EU) 2026/1446, of June 30, 2026
PublicationJuly 3, 2026 (EU Official Journal)
Entry into forceJune 30, 2026
Affected partiesTechnology companies investigated under the DMA (gatekeepers) and natural persons whose data is held by the Commission in those proceedings
CategoryData Protection
Base RegulationRegulation (EU) 2022/1925 — Digital Markets Regulation (DMA)
Year2026
Impact analysis reserved for PRO
The detailed impact analysis of this regulation is available for users with a PRO plan or higher. Access the full content and receive personalized alerts.
From €9.99/month · Cancel anytime

If your company is listed in a proceeding by the European Commission for alleged breach of the Digital Markets Regulation (DMA, EU Regulation 2022/1925), you should know that as of June 30, 2026, there is an internal rule that expressly regulates what information the Commission can withhold from you about your own data and for how long.

The Decision (EU) 2026/1446, published in the Official Journal on July 3, 2026, does not create new compliance obligations for companies in the classical sense, but it does define the limits of the Commission's power over personal data it handles in its investigations. Understanding this framework is essential for any company or professional involved in a DMA proceeding.

What does this regulation establish?

The Decision sets the internal rules of the European Commission for the processing of personal data in the context of investigations, enforcement and supervision provided for in the DMA. Specifically, it regulates three areas:

  • Limitation of data subjects' rights: The Commission can restrict the right of access, rectification and deletion of personal data when its exercise could compromise an ongoing investigation.
  • Information obligations: The procedures that the Commission must follow to inform those affected about the processing of their data and the restrictions applied are defined.
  • Internal procedures: Internal mechanisms are established to apply these restrictions in a regulated manner, ensuring that they are proportionate and respect the essence of fundamental rights.

Restrictions are not automatic or unlimited. The rule expressly requires that any limitation be proportionate and that it does not violate the core of fundamental rights recognized in the EU Charter of Fundamental Rights.

Data subject's rightCan it be limited under this Decision?Condition
Access to own dataYesIf it would compromise the ongoing investigation
Rectification of dataYesIf it would compromise the ongoing investigation
Deletion of dataYesIf it would compromise the ongoing investigation
Information about processingYes, partiallySubject to internal procedures defined in the Decision

Economic and operational impact

This rule does not generate direct compliance costs for investigated companies. Its impact is procedural and strategic in nature: it affects the ability of companies and their representatives to know and control what personal data the Commission handles about them during a DMA proceeding.

The specific operational implications are:

  • Limitation of procedural defense: If the Commission restricts data access, the legal teams of investigated companies may have less visibility into the information the regulator handles, which conditions the defense strategy.
  • Management of employee and representative data: Personal data of executives, in-house lawyers or representatives who have participated in communications with the Commission may be subject to these restrictions without immediate notification.
  • Planning of legal resources: Investigated companies must anticipate that requests for data access made during the proceeding may be denied or deferred, which requires documenting internally all available information from the start of the proceeding.

Who does it affect?

  • Large digital platforms designated as gatekeepers under the DMA (currently: Alphabet/Google, Amazon, Apple, ByteDance/TikTok, Meta, Microsoft) that are or may be subject to Commission investigations.
  • Employees, executives and legal representatives of those platforms whose personal data (emails, statements, documents) have been collected by the Commission in the context of a proceeding.
  • Third parties (suppliers, business partners, whistleblowers) whose personal data has been provided to a DMA proceeding and who intend to exercise their rights before the Commission.
  • Legal advisors and consultants who manage the defense of investigated companies and need to know the actual scope of their clients' rights against the Commission.

Practical example

Imagine you are the Legal Director of a large mobile application distribution platform designated as a gatekeeper under the DMA. The Commission opens a formal investigation for alleged breach of the interoperability obligations of Article 6 of the DMA.

During the proceeding, the Commission has collected internal emails and statements from several executives of your company. One of those executives requests to exercise their right of access to know exactly what personal data of theirs is held in the proceeding.

Under Decision (EU) 2026/1446, the Commission can deny or defer that access request if it considers that granting it would compromise the integrity of the ongoing investigation. The denial must be justified, proportionate and respect the executive's fundamental rights. This scenario, previously regulated in a diffuse manner, is now formalized with defined internal procedures, which gives companies a clear—albeit restrictive—framework to anticipate the regulator's response.

Do you need to track this and other regulations?

Consult the full details in CambiosLegales

What should companies do now?

  1. Audit what personal data the Commission has collected: If your company is under DMA investigation, identify from the start of the proceeding what personal information of employees and representatives has been provided or collected, before access restrictions are applied.
  2. Document internally all available information: Given that requests for data access may be denied or deferred, it is critical to maintain complete internal records of all communications and documents related to the proceeding.
  3. Inform affected employees: Executives, in-house lawyers and representatives whose data may be in a proceeding should be informed that their rights of access, rectification and deletion may be temporarily limited under this Decision.
  4. Review protocols for responding to rights requests: If your company acts as an intermediary in providing data to the Commission, update your internal data protection procedures to reflect this new framework.
  5. Consult with the Data Protection Officer (DPO): The company's DPO should be aware of this Decision and assess its impact on the procedures for managing the rights of data subjects linked to DMA proceedings.

Frequently asked questions

What data protection rights can the Commission limit in a DMA investigation?

According to Decision (EU) 2026/1446, the Commission can limit the rights of access, rectification and deletion of personal data, as well as the right to receive information about processing. These limitations are only applicable when the exercise of those rights could compromise the ongoing investigation, and must always be proportionate and respect the essence of fundamental rights.

When did this rule on data in DMA investigations come into force?

Decision (EU) 2026/1446 came into force on June 30, 2026, although it was published in the EU Official Journal on July 3, 2026. It is applicable to all investigation, enforcement and supervision proceedings opened under the Digital Markets Regulation (DMA, EU Regulation 2022/1925).

Which companies does this European Commission Decision affect?

It primarily affects large digital platforms designated as gatekeepers under the DMA that are subject to Commission investigations. It also affects natural persons—employees, executives, legal representatives and third parties—whose personal data is held by the Commission in the context of those proceedings.

Can an employee of an investigated company exercise their GDPR rights against the Commission?

Yes, but with limitations. Decision (EU) 2026/1446 establishes that the Commission can deny or defer requests for access, rectification or deletion if granting them would compromise the investigation. The denial must be justified, proportionate and not violate the core of the applicant's fundamental rights.

What should I do if my company receives a DMA investigation and there is personal data of employees in the proceeding?

The most urgent thing is to document internally what data has been provided before access restrictions are applied, inform affected employees that their rights may be temporarily limited, and consult with the company's DPO to adapt the procedures for managing data subjects' rights to this new regulatory framework.

Official source

Consult the complete regulation in the official source

Disclaimer: This article is for informational purposes only and does not constitute legal advice. For specific decisions, consult a qualified professional. Source: https://eur-lex.europa.eu/./legal-content/AUTO/?uri=OJ:L_202601446



Share:
E
Equipo Editorial CambiosLegales

El equipo editorial de CambiosLegales analiza diariamente los cambios normativos que afectan a empresas y autónomos en España, ofreciendo análisis pro...

Comments

No comments yet. Be the first to comment!

Leave a comment
Get free alerts