Modifications of the GDPR: EDPB & EDPS welcome simplification of record keeping obligations and request further clarifications

The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) issued a Joint Opinion on the European Commission’s Proposal for a Regulation amending certain regulations, including the GDPR.

The Proposal, part of the fourth simplification Omnibus, aims to simplify EU rules and reduce administrative burden, extending certain mitigating measures available for small and medium sized enterprises (SMEs) to small mid-cap enterprises (SMCs), and includes further simplification measures. 

The Proposal aims to modify Art.30 (5) GDPR, providing a derogation to the obligation to keep a record of data processing operations. Currently, this derogation only applies to enterprises and organisation under 250 employees, except in certain cases. Under the Proposal, the derogation would apply to an enterprise or organisation employing fewer than 750 people, unless the processing operation carried out is likely to result in a high risk to individuals’ rights and freedoms, within the meaning of Art.35 GDPR.

In addition, the Proposal introduces a definition of SME and SMC in Art.4 GDPR and extends the scope of Art.40 (1) and 42 (1) GDPR to the SMCs, which refer to codes of conduct and certification. These tools are currently designed to help enterprises and organisations demonstrate compliance with the GDPR focusing on the specific needs of SMEs.

Wojciech Wiewiórowski, EDPS, said: “We support the general objective of the Proposal to reduce the administrative burden for SMEs and SMCs as long as this does not lower the protection of individuals’ fundamental rights, in particular the rights to privacy and to the protection of personal data. To this end, we welcome that the proposed modifications to simplify and clarify the obligation to keep a record of processing are targeted and limited in nature, and do not affect the core principles and other obligations under the GDPR”.

Anu Talus, EDPB Chair, said: “The EDPB supports the Proposal’s general objective to reduce the administrative burden for SMEs and SMCs and to ensure that, in practice, they can enjoy a derogation from the duty to keep records of processing activities. The current derogation did not always achieve its goal. At the same time, the record of processing activities is a useful tool to support compliance with other duties, such as the one of transparency or to give effect to data subject rights. The simplification will offer greater flexibility to SMEs and SMCs to choose the most appropriate method to be compliant.”

As regard the organisations being subject to the derogation, considering that the Proposal impacts legislation in other policy areas, the EDPB and the EDPS expect further clarifications on why the new threshold of enterprises or organisations employing fewer than 750 persons would be more appropriate under the GDPR, rather than the threshold of 500 employees initially considered. In addition, the new exemption in Art. 30 (5) refers to ‘enterprises employing fewer than 750 employees’ without referring to the newly introduced definitions of SME and SMC, which also includes financial criteria. In order to ensure that the exemption will benefit SMEs and SMCs, the EDPB and the EDPS’s Joint Opinion recommends referring to the newly introduced definitions of SME and SMC.

The EDPB and EDPS also ask the co-legislators to clarify in the Proposal that the term ‘organisation’, falling within the scope of the proposed derogation under Art.30 (5) GDPR, does not include public authorities and bodies. (source: https://www.edps.europa.eu/photo freepik.com)

Read the Opinion here

Comments

Post a Comment

Popular posts from this blog

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Image
The European Ombudsman inquiry into the Commission’s handling of a request for text messages between its President and the CEO of a pharmaceutical company is a wake-up call for all EU institutions about ensuring accountability in an era of instant messaging. One year after the initial request by a journalist, the Commission has still not clarified whether messages reported to concern major vaccine procurement deals exist and whether the public is entitled to see them. The Ombudsman had asked the Commission, in a finding of maladministration in January, to conduct a more thorough search for the text messages. The Commission’s recent response failed to say whether it had looked directly and correctly for the text messages and if not, why not. While the response recognised that work-related text messages can be EU documents, it reiterated that the Commission’s internal policy is, in effect, not to register text messages. The Ombudsman has closed  the inquiry  and upheld...
Read more

Access to documents: the Commission decision refusing a journalist of The New York Times access to the text messages exchanged between President von der Leyen and the CEO of Pfizer is annulled (CJEU)

Image
In its Judgment dated 14/5/2025 in Case T-36/23 (Stevi and The New York Times v Commission), the General Court ruled that the Commission decision refusing a journalist of The New York Times access to the text messages exchanged between President von der Leyen and the CEO of Pfizer is annulled. By an application based on the Access to Documents Regulation, [1], Matina Stevi, a journalist working for the daily newspaper The New York Times, requested the European Commission to provide access to all text messages exchanged between President Ursula von der Leyen and Albert Bourla, the chief executive officer of Pfizer, between 1 January 2021 and 11 May 2022.  The Commission rejected that application on the ground that it did not hold the documents covered by it. Ms Stevi and The New York Times requested the General Court of the European Union to annul the Commission’s decision.  In its judgment, the General Court upholds the action and annuls the Commission’s decision. The Court re...
Read more

An overview of the regulatory framework on Gambling Services in the European Union

Image
written by Efi Thoma * The European Union (EU) does not have a harmonized, single regulatory framework for betting companies. Instead, the regulation of gambling services, including betting, remains largely within the competence of individual Member States.  This results in a diverse and often fragmented legal framework across the EU. While the EU facilitates some level of cooperation and sets overarching principles, the specifics of licensing, operational requirements, and consumer protection measures vary significantly from country to country. Despite the lack of a unified framework, several key principles and EU-level instruments influence the national regulations of betting companies. More specifically, the Treaty on the Functioning of the European Union (TFEU) guarantees the freedom of establishment and the freedom to provide services within the EU. These fundamental freedoms mean that Member States cannot unjustifiably restrict betting companies legally established in ano...
Read more

New President of the European Court of Human Rights

Image
The European Court of Human Rights has elected on 28.4.2025 Mattias Guyomar, Judge elected in respect of France, as its new President.  Mattias Guyomar succeeds Marko Bošnjak, Judge elected in respect of Slovenia. He will take up office on 30 May 2025. Read his bio here Furthermore, the Judge elected in respect of Armenia, Vahe Grigoryan, was formally sworn in in the Court's Main Hearing Room on 28.4.2025. Read as well:  Interventions in Justice System and the role of Artificial Intelligence / article by Giorgos Kazoleas, Lawyer in Cyprus
Read more

Imposition of a fine on a bank in Greece for an incident of personal data breach

Image
The Greek Data Protection Supervisory Authority imposed on a Bank, as Data Controller, an administrative fine of EUR 100,000 for violating the principles of accuracy, integrity, and confidentiality of data, and the principles of data protection by design and by default, in conjunction with Articles 32, 33, and 34 of the GDPR, as well as an administrative fine of EUR 20,000 for violating the complainants' right of access. Complaints were submitted to the Supervisory Authority of Greece against the National Bank of Greece for the incorrect linking of a complainant's bank account with the mobile phone number of another complainant in the “i-bank Pay application”, which resulted in money transfers, via “IRIS online payments service”, which were made to the first complainant's account instead of the second's.  In the context of the administrative audit conducted by the Authority, the Bank eventually identified that the issue was due to incorrect configuration during the ...
Read more