Modifications of the GDPR: EDPB & EDPS welcome simplification of record keeping obligations and request further clarifications
The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) issued a Joint Opinion on the European Commission’s Proposal for a Regulation amending certain regulations, including the GDPR.
The Proposal, part of the fourth simplification Omnibus, aims to simplify EU rules and reduce administrative burden, extending certain mitigating measures available for small and medium sized enterprises (SMEs) to small mid-cap enterprises (SMCs), and includes further simplification measures.
The
Proposal aims to modify Art.30 (5) GDPR, providing a derogation to the
obligation to keep a record of data processing operations. Currently, this
derogation only applies to enterprises and organisation under 250 employees,
except in certain cases. Under the Proposal, the derogation would apply to an
enterprise or organisation employing fewer than 750 people, unless the
processing operation carried out is likely to result in a high risk to
individuals’ rights and freedoms, within the meaning of Art.35 GDPR.
In
addition, the Proposal introduces a definition of SME and SMC in Art.4 GDPR and
extends the scope of Art.40 (1) and 42 (1) GDPR to the SMCs, which refer to
codes of conduct and certification. These tools are currently designed to help
enterprises and organisations demonstrate compliance with the GDPR focusing on
the specific needs of SMEs.
Wojciech
Wiewiórowski, EDPS, said: “We support the general objective of the
Proposal to reduce the administrative burden for SMEs and SMCs as long as this
does not lower the protection of individuals’ fundamental rights, in particular
the rights to privacy and to the protection of personal data. To this end, we
welcome that the proposed modifications to simplify and clarify the
obligation to keep a record of processing are targeted and limited in nature,
and do not affect the core principles and other obligations under the GDPR”.
Anu Talus,
EDPB Chair, said: “The EDPB supports the Proposal’s general objective
to reduce the administrative burden for SMEs and SMCs and to ensure that, in
practice, they can enjoy a derogation from the duty to keep records of
processing activities. The current derogation did not always achieve its goal.
At the same time, the record of processing activities is a useful tool to
support compliance with other duties, such as the one of transparency or to
give effect to data subject rights. The simplification will offer greater
flexibility to SMEs and SMCs to choose the most appropriate method to be
compliant.”
As regard
the organisations being subject to the derogation, considering that the
Proposal impacts legislation in other policy areas, the EDPB and the EDPS
expect further clarifications on why the new threshold of enterprises or
organisations employing fewer than 750 persons would be more appropriate under
the GDPR, rather than the threshold of 500 employees initially considered. In
addition, the new exemption in Art. 30 (5) refers to ‘enterprises employing
fewer than 750 employees’ without referring to the newly introduced definitions
of SME and SMC, which also includes financial criteria. In order to ensure that
the exemption will benefit SMEs and SMCs, the EDPB and the EDPS’s Joint Opinion
recommends referring to the newly introduced definitions of SME and SMC.
The EDPB
and EDPS also ask the co-legislators to clarify in the Proposal that the term
‘organisation’, falling within the scope of the proposed derogation under
Art.30 (5) GDPR, does not include public authorities and bodies. (source: https://www.edps.europa.eu/photo freepik.com)
Comments
Post a Comment