EDPB and EDPS Back GDPR Changes to Ease Administrative Burden
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have issued a Joint Opinion on the European Commission’s Proposal to amend several regulations, including the General Data Protection Regulation (GDPR). The Proposal is part of the fourth simplification Omnibus aimed at simplifying EU rules and reducing administrative burdens. It extends certain easing measures currently available to small and medium-sized enterprises (SMEs) to include small mid-cap enterprises (SMCs), along with additional simplification steps.
A key change proposed is the modification of Article 30(5) GDPR, which currently exempts enterprises with fewer than 250 employees from the obligation to maintain records of data processing activities, except in specific cases. The Proposal would raise this threshold to enterprises with fewer than 750 employees, unless the processing is likely to result in a high risk to individuals’ rights and freedoms as defined in Article 35 GDPR. This change aims to provide greater flexibility for businesses to manage their data protection responsibilities.
The Proposal also introduces a formal definition of SMEs and SMCs in Article 4 GDPR and extends the scope of Articles 40(1) and 42(1) GDPR, which relate to codes of conduct and certification mechanisms, to cover SMCs. These tools are designed to help organizations demonstrate GDPR compliance by addressing the specific needs of smaller enterprises. Both the EDPB and EDPS support the objective of reducing administrative burdens, provided that fundamental rights to privacy and data protection remain safeguarded.
The Joint Opinion highlights the need for further clarifications regarding the new employee threshold of 750 for the derogation and recommends aligning it with the new definitions of SMEs and SMCs, which include financial criteria. It also requests clarity that the term “organization” under the exemption does not include public authorities or bodies. These clarifications are essential to ensure the Proposal benefits the intended groups without compromising GDPR’s core principles.