The European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) have jointly responded to the European Commission’s draft proposal aimed at simplifying record-keeping obligations under the GDPR. The draft proposal, planned to be part of the Fourth Omnibus package scheduled for adoption in May 2025, suggests extending the current exemption from maintaining records of processing activities to a broader category of organisations. Currently, under Article 30(5) GDPR, the obligation to maintain records does not apply to enterprises or organisations with fewer than 250 employees, including small and medium-sized enterprises (SMEs). The Commission’s draft proposal intends to expand this derogation to cover “small mid-cap companies” (SMCs) – defined as companies with fewer than 500 employees and certain turnover criteria – as well as non-profit organisations with fewer than 500 employees. In addition to extending the scope, the draft proposal would amend Article 30(5) GDPR to specify that the exemption would not apply if the processing is “likely to result in a high risk to the rights and freedoms of natural persons.” This marks a tightening compared to the current wording, which only refers to processing “likely to result in a risk”. Furthermore, the proposal would remove certain exceptions to the exemption, such as references to occasional processing and potentially the processing of special categories of personal data. A recital accompanying the proposal would clarify that the processing of special categories of personal data to comply with legal obligations in employment, social security, or social protection law (per Article 9(2)(b) GDPR) would remain exempt from the obligation to maintain records of processing activities. Based on the information available and subject to a full analysis of the legislative text, the EDPB and EDPS have expressed preliminary support for this targeted simplification initiative, emphasizing that it would not affect the broader GDPR obligations that controllers and processors must comply with. However, the EDPB and EDPS have highlighted the need for the Commission to carry out a detailed impact assessment. Such an analysis should include the number of organisations benefiting from the simplification and the potential effects on the protection of personal data. This assessment is crucial to ensuring that the draft proposal strikes a proportionate and fair balance between the interests of organisations with fewer than 500 employees and the rights of data subjects. Importantly, both supervisory bodies welcomed that the obligation to keep records would still apply to processing activities “likely to result in a high risk”. They noted that their existing Guidelines on Data Protection Impact Assessment (“DPIA”) offer valuable guidance on understanding this notion. The EDPB and EDPS also reminded that even very small companies may engage in high-risk processing activities, underscoring the importance of retaining a risk-based approach. Non-occasional processing and processing of special categories of personal data may still constitute a likely high risk, depending on the outcome of a thorough assessment of relevant criteria. Finally, the EDPB and EDPS indicated that a formal consultation will follow the publication of the draft legislative changes, pursuant to Article 42(2) of Regulation 2018/1725. This consultation will provide an opportunity for the supervisory authorities to submit more detailed comments, particularly regarding proposed amendments to Articles 40(1) and 42(1) GDPR. In summary, the EDPB and EDPS recognize the value of simplifying GDPR obligations for smaller organisations but stress that such measures must not undermine the fundamental rights to data protection. They advocate for a balanced, risk-based approach supported by thorough impact analysis to safeguard individuals’ rights while alleviating administrative burdens.
