The European Commission has presented a Single Market Strategy to create a more simple, seamless and strong European market. As part of this Strategy, a simplification package has also been published and in addition to several other porposals, it also proposes simplifications to the GDPR. The Commission's package is closely linked to the competitiveness report published in 2024 by Mario Draghi ("Draghi report"), which also drew attention to the need to simplify EU rules and the findings of which are also reflected in the Commission's 2025 work programme.
The Commission has identified a set of ‘Terrible Ten' Single Market barriers on the basis of comprehensive consultations of stakeholders:
- Complicated business establishment and operations
- Overly complex EU rules
- Lack of Single Market ownership by Member States
- Recognition of professional qualifications
- Long delays in standard-setting that weigh on innovation and competitiveness
- Fragmented rules on packaging, labelling and waste
- Outdated harmonised product rules and lack of product compliance
- Restrictive and diverging national services regulation
- Burdensome procedures for temporary posting of workers
- Territorial supply constraints
As part of the proposals, with regard to the GDPR, the simplification would affect the record-keeping obligation (Art. 30 GDPR). The Commission´s proposal would introduce the concept of the small mid-cap companies ("SMCs") and several SME-specific rules would become applicable also to SMCs .
What are small mid-cap companies?
The European Commission would define a new category of companies, small mid-caps (SMCs), i.e. companies with fewer than 750 employees; and either up to €150 million in turnover or up to €129 million in total assets. Currently, nearly 38,000 companies fall into this category in the EU.
(Short reminder: According to the Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises, "the category of micro, small and medium-sized enterprises (SMEs) is made up of enterprises which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million.")
What GDPR amendments are propsed?
According to the proposal, the text of the GDPR - in addition to Article 4 containing definitions - would be affected in 3 points:
- Article 30(5) on records of processing activities (RoPA) would be amended, extending the exemption from the obligation to record the processing activities to companies with fewer than 750 employees, and the amendment would also clarify the content of the exception to this exemption,
- in the context of codes of conduct (Article 40), not only the specific needs of micro, small and medium-sized enterprises (SMEs) but also the needs of small mid-cap enterprises must be taken into account in the future,
- with regard to certification (Article 42), the obligation to take into account the needs of SMCs will also be added.
The planned amendment to the rules on record-keeping can be considered as a bit more substantial amendment, although its impact will not likely to be very significant, as the number of affected companies in the EU is only 38,000.
According to the proposal, Article 30(5) of the GDPR would be amended as follows:
The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 750 persons unless the processing it carries out is likely to result in a high risk to the rights and freedoms of data subjects, within the meaning of Article 35.
(Article 35 of the GDPR contains the obligations related to data protection impact assessment (DPIA) and in this context defines the processing activities that likely to result in a high risk.)
The essence of the proposal is therefore that organisations employing fewer than 750 people should not have to keep records of processing activities, unless they are likely to carry out high-risk processing activities.
What is stated in Article 30(5) of the GDPR now?
According to the current text of the GDPR: "The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10."
Thus, on the one hand, the proposal raises the limit based on the number of employees (from 250 to 750) and, on the other hand, simplifies and clarifies the exceptions to the exemption from record-keeping obligations (for all organisations with less than 750 employees, i.e. including SMEs). It is worth noting that the number of employees is not a very good indicator in the context of data processing obligations. In the field of digital services, we can see many examples where large-scale data processing can take place with a very small number of employees. (And I won't even go into the fact that the nature of the employment relationship can also depend on many things, so organizations that do not operate in a way to use "classic employment relationships" can also be included in the scope of the exemption, even if they have more "human resources" under other contractual terms, such as "contractors".)
The European Sata Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) assessed the proposal earlier in a joint letter (at that time, it was considered to extend the exemption to companies with less than 500 employees). In their letter, the EDPB and the EDPS expressed "preliminary support to this targeted simplification initiative, bearing in mind that this would not affect the obligation of controllers and processors to comply with other GDPR obligations."
What can this amendment mean in practice?
The comments on the amendment can be divided into two parts: (i) the extension of the exemption from record-keeping, and (ii) the definition of the cases in which the exemption is not applicable.
(i) Extension of the exemption from record-keeping
The extension of the exemption from record-keeping presumably seemed like an easy simplification, since this amendment can be made without serious consideration of the logic of data protection, only a number needs to be changed in the GDPR and it can be immediately stated that important steps have been taken against excessive bureaucracy.
At the same time, the record-keeping obligation is one of the fundamental tools of data protection compliance and is closely linked to the principle of accountability (Article 5(2) of the GDPR), according to which the controller shall be responsible for, and be able to demonstrate compliance with data protection rules. Therefore, the question arises as to how a data controller can operate in an accountable manner and how a data processor can fulfil its other obligations arising from the GDPR if up-to-date information of ongoing data processing activities is not ensured. Without the proper mapping of data processing activities, no other data protection obligations can be fulfilled. (E.g. how can a data controller comply with its obligation to provide information or a data subject's access request if it is not aware of what data processing it is carrying out, or if it does not have a record on data processing? How can a data processor comply with its obligations under Article 28 of the GDPR if it does not have an overview of the data processing services it provides? How can controllers or processors comply with the obligations related to the data transfers to third countries if they do not properly carry out an assessment of the processing activities and do not record the results of this? Further examples could be listed here.)
In this context, please also see the Position paper of the WP29 Working party (predecessor of the EDPB), published in 2018, on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR: "The WP29 highlights that the record of processing activities is a very useful means to support an analysis of the implications of any processing whether existing or planned. The record facilitates the factual assessment of the risk of the processing activities performed by a controller or processor on individuals’ rights, and the identification and implementation of appropriate security measures to safeguard personal data – both key components of the principle of accountability contained in the GDPR."
It is also important to note that it is not the record-keeping itself that needs a lot of resources, but the mapping and assessment of data processing activities. However, the mapping and assessment of processing activities must be done in any case, because otherwise it is not possible to assess whether the given data processing is "likely to result in a high risk" or not, which is unavoidable, as the data processing activity that is likely to result in a high risk is still subject to record-keeping obligations.
(ii) Determination of the cases in which the exemption does not apply
The exception to the exemption reverts to the main rule: organizations with fewer than 750 employees must still keep records of high-risk data processing. By referring to Article 35 of the GDPR, this part of the provision will certainly be clearer in the future. Additionally, the current text refers to processing activities that "likely result in a risk" (i.e. the bar is much lower for record-keeping obligation), therefore, in the case of organizations with fewer than 250 employees, which are currently partially exempt from record-keeping, this also represents a change (further simplification).
Reviewing the current and proposed new logic for exemption and exceptions, we can see the following:
|
|
Exemption under the record-keeping obligation |
Exceptions under the exemption (i.e. the general rule of record-keeping is applicable) |
||
|
|
|
Exception 1 |
Exception 2 |
Exception 3 |
|
Current rule |
an enterprise or an organisation employing fewer than 250 persons |
the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects |
the processing is not occasional |
the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10 |
|
Proposed new rule |
an enterprise or an organisation employing fewer than 750 persons |
the processing it carries out is likely to |
- |
- |
In summary, it can be stated that the proposed amendment is likely to have "more smoke than flame" and will not provide substantial relief for organizations employing less than 750 people if they otherwise want to comply with their other data protection obligations. However, it is a step forward that the rule currently in force can become clearer, at least in terms of the wording of the exception to the exemption.
