On 9 July 2025, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a Joint Opinion on the European Commission’s legislative proposal to amend GDPR following the Fourth Simplification Omnibus Package (“Commission’s Proposal”).

In the Opinion, while they support the Commission’s Proposal to reduce administrative burden—particularly, regarding record-keeping obligations— the EDPB and EDPS emphasize the importance of preserving essential data protection safeguards, and this relation insist for additional review and assessment of data protection aspects of the Commission’s Proposal.

Further to the Commission’s Proposal, the threshold for exemption of data controllers and processors from maintaining records of processing activities (RoPA) pursuant to Article 30(5) GDPR shall be amended to include organizations processing personal data with fewer than 750 employees. The EDPB and EDPS underscore that the proposed derogation should not operate automatically, and that, instead, it should remain conditional on a documented assessment demonstrating that the relevant processing activities of data controllers or processors are unlikely to result in a high risk to the rights and freedoms of individuals. Specifically: 

• The exemption shall apply only if a documented risk assessment is completed and as a result of it, it is concluded that the processing is unlikely to pose high risks to individuals.
• This assessment shall be available on request and provided as compliance evidence to the supervisory authority of competent jurisdiction. 
• The controller or, if applicable, the processor, shall retain the burden of proof, reinforcing the need for robust internal accountability mechanisms.

Even where the exemption applies, EDPB and EDPS strongly encourage the continued use of ROPA by all data controllers and processors. In the opinion of EDPB and EDPS, maintaining such records remains a key instrument for demonstrating compliance with the GDPR principle of accountability.

Last but not least, EDPB and EDPS encourage the co-legislators clarify expressly that the term “organisation” as used in the context of the proposed Article 30(5) GDPR derogation does not extend to public authorities and bodies. This clarification is essential to avoid misinterpretation and ensure consistent application of the GDPR across sectors.

The Proposal also introduces a new category of business undertakings: the Small Mid-Cap enterprises (“SMCs”). According to Commission Recommendation C (2025) 3500, SMCs are companies that (i) do not qualify as SMEs under Recommendation 2003/361/EC; (i) employ fewer than 750 people; and (iii) have either an annual turnover not exceeding €150 million or an annual balance sheet total not exceeding €129 million.

The EDPB and EDPS agree that this new category of business organizations face challenges similar to those of SMEs, but call for additional clarification on the underlying for adopting this specific threshold and its practical implications within the context of the GDPR.