EDPB & EDPS Back GDPR Simplification

Key Takeaways

• Expanded Exemption Threshold: The proposal raises the GDPR’s recordkeeping exemption from 250 to 750 employees, easing administrative requirements for more organizations.
• Support with Conditions: The EDPB and EDPS back the simplification but stress that it must not compromise fundamental data protection rights.
• Call for Clarification: Regulators want an explanation for the choice of the 750 threshold and recommend aligning the exemption with newly defined SME and SMC criteria.
• Codes and Certification Extended: Articles 40 and 42 would be updated to allow SMCs to participate in voluntary codes of conduct and certification schemes.
• Public Authorities Excluded: The Joint Opinion urges lawmakers to make clear that public bodies should not benefit from the proposed exemption.

Deep Dive

The EU wants to make life a little easier for smaller businesses under the GDPR, but Europe's top data protection authorities are asking a few questions before they sign off.

In a joint opinion published July 9, the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) cautiously welcomed the European Commission’s latest attempt to cut red tape, this time by tweaking the GDPR’s record-keeping requirements.

The proposal, part of the Commission’s broader “Fourth Omnibus” simplification package, takes aim at Article 30(5) of the GDPR. Right now, organizations with fewer than 250 employees are exempt from the obligation to maintain detailed records of data processing, unless they’re doing something particularly risky with people’s data. The Commission wants to raise that bar to 750 employees, giving more breathing room to small and mid-sized companies (or “SMCs” as Brussels now calls them) so long as the processing doesn’t carry high risks to fundamental rights under Article 35.

Both the EDPB and EDPS agree in principle. But they’ve flagged some loose ends that need tying up.

“We support the general objective... as long as this does not lower the protection of individuals’ fundamental rights,” said EDPS Wojciech Wiewiórowski, emphasizing that the core principles of the GDPR must remain intact. In other words, simplification is fine, up to a point.

EDPB Chair Anu Talus took a similar view. She acknowledged that the original 250-person threshold hadn’t always worked in practice and welcomed the shift toward greater flexibility. But she reminded lawmakers that keeping records isn’t just a bureaucratic box-tick, it’s a “useful tool” that supports transparency and upholds the rights of individuals.

So why 750?

That’s one of the key questions. The regulators want to know why 750 was chosen as the new cut-off point, especially when a threshold of 500 employees had been considered earlier in the drafting process. They’re also concerned that the proposed language doesn’t reference the newly introduced definitions of SME and SMC, which include financial thresholds in addition to employee count.

This may sound technical, but it matters. Without a clear reference to those definitions, the exemption could inadvertently benefit companies outside the intended scope.

To keep things clean, the regulators have recommended aligning the exemption with the new SME/SMC definitions already set out in Article 4 and to make sure it’s crystal clear that public authorities and bodies aren’t included in the exemption.

Codes, certification, and clarity

The Commission’s proposal doesn’t stop at recordkeeping. It also amends Articles 40(1) and 42(1) of the GDPR to extend codes of conduct and certification schemes to SMCs, tools originally designed for SMEs. These voluntary mechanisms are meant to help companies prove they’re following the rules, tailored to their size and resources.

Again, the regulators are on board, so long as the changes don’t dilute protections or create ambiguity about who qualifies and who doesn’t.

In the end, simplifying compliance for smaller businesses is a good thing but only if it’s done carefully. Brussels might be right to ease the administrative burden, but as always, the devil is in the definitions.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.