Opinion

European Commission publishes proposals for simplification of the GDPR

European Commission publishes proposals for simplification of the GDPR
Published Date
May 30 2025
Related people
On May 21 2025, the European Commission adopted a Single Market Simplification proposal, containing a new package of measures for the simplification of the EU single market with the aim of reducing bureaucracy and regulatory costs for business (with predicted savings estimated at EUR400 million annually), improving regulatory coherence, enhancing growth opportunities for small and medium sized companies (SMEs) and small mid-caps and to promote trust and compliance (the Proposal).

The Proposal is of relevance to data protection, as it seeks to address one of the more burdensome compliance obligations identified by the EU Commission in its periodic evaluations of the GDPR: the internal documentation obligations set out in Article 30. In particular, the EU Commission plans to amend the GDPR to increase the scope for an organisation to rely on a derogation from the requirement to maintain a record of processing activities (ROPA). 

Currently Article 30(5) provides that the obligation to maintain a ROPA does not apply to an organisation with fewer than 250 employees unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1), or personal data relating to criminal convictions and offences referred to in Article 10. 

The Proposal takes a simpler approach and more closely links the compliance burden of record keeping to corporate size. Specifically, the derogation will be available to organisations employing no more than 750 employees. In that case, a ROPA will only be mandatory when the processing results in “high risk” to data subject rights and freedoms as set out in Article 35 GDPR (Data Processing Impact Assessments, DPIA). As a reminder, Article 35(3) sets out examples of circumstances when a DPIA is required (therefore providing examples of processing considered likely to result in high risk) – i.e.:

  • processing on a large scale of special categories of data or criminal convictions and offences data;
  • systematic and extensive evaluation of personal aspects relating to individuals based on automated processing, including profiling, and on which decisions are based that produce legal effects (or similarly significant effects) concerning the individual; or
  • systemic monitoring of publicly accessible areas on a large scale.

The Proposal includes related GDPR amendments to define the concept of “micro, small and medium-sized entities” and “small mid-cap entities”. Under the new proposals Member States, supervisory authorities, the EDPB and EU Commission will need to take account of such entities when encouraging the establishment of codes of conduct, certification, seal and mark mechanisms under the GDPR.

The press release regarding the Single Market Simplification proposal is available here. The data protection related proposals and draft amending regulation are available here.

Related capabilities