Share This Article
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint letter responding to the European Commissionโs draft proposal aimed at simplifying record of data processing obligations under Article 30 of the GDPR.
This proposal, part of the upcoming Fourth Omnibus legislative package, seeks to ease compliance burdens on certain categories of organizations, while retaining core privacy safeguards.
The Commission’s draft proposes extending the existing derogation under Article 30(5) GDPR. Currently, this derogation exempts organizations with fewer than 250 employees from maintaining records of processing activities unless specific risk-related conditions apply. The proposed changes would extend this exemption to โsmall mid-cap companiesโ (SMCs) and non-profits with fewer than 500 employees. Additionally, proposed revision would modify Article 30(5) GDPR to provide that the derogation would not apply if the processing is โlikely to result in a high riskโ instead of โlikely to result in a riskโ, raising therefore the threshold of risk.
Moreover, the proposal also removes certain current limitations, such as the exception for โoccasional processing.โ Finally, a recital of the proposal would clarify that the processing of special categories of personal data to comply with a legal obligation in the field of employment, social security or social protection law (in accordance with Article 9(2)(b) GDPR) would not be subject to the obligation to maintain a record of these processing activities.
The EDPB and EDPS expressed preliminary support for the targeted simplification, acknowledging its potential to reduce compliance burdens without undermining core privacy protections. However, they stressed the importance of empirical analysis to assess its real-world impact. Specifically, they urged the Commission to provide data on the number of organizations that would benefit from the reform and to evaluate how these changes might affect overall data protection.
Importantly, the supervisory bodies welcomed the retention of mandatory record-keeping for high-risk processing activities, noting that even small organizations can carry out such operations. They highlighted existing guidance, particularly the Article 29 Working Party’s guidelines on Data Protection Impact Assessments (DPIAs), which clarify when processing is likely to be considered high-risk.
Despite their preliminary support, the EDPB and EDPS emphasized that simplification must not compromise the fundamental rights of data subjects. They reaffirmed the necessity of maintaining a risk-based approach and indicated that a formal consultation process will follow the publication of the final legislative text.
We will need to wait for the official legislative text to confirm the simplification of record-keeping obligations. However, it is evident that the proposed changes could significantly ease compliance burdens for many small companies currently affected by the complex requirements of Article 30 of the GDPR.
On a similar topic, you can read the article “Italian GDPR fine for criminal record checks without a privacy related legal basis“.