EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
The European Commission has unveiled a draft proposal (May 2025) to simplify the GDPR’s record-keeping obligations.
According to Article 30, controllers and processors must maintain a detailed record of processing activities (ROPA) for accountability. However, Article 30 (5) currently provides an exemption for enterprises and organizations employing fewer than 250 persons unless:
- the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects,
- the processing is not occasional, or
- the processing includes special categories of data as referred to in Article 9 (1) or personal data relating to criminal convictions and offences referred to in Article 10.
Proposed Changes
The draft proposal would expand and clarify the Article 30(5) derogation. Key changes under consideration include:
✅ Higher employee threshold:
Extend the record-keeping exemption to “small mid-cap companies” and nonprofits with fewer than 500 employees (up from 250). This brings mid-sized firms under the exemption, not just traditional SMEs.
✅ Risk-based focus:
Narrow the trigger from any “risk” to “high risk” processing.
✅ Dropping the “occasional” requirement:
Remove the condition that processing must be occasional for the exemption to apply. Under the proposal, a qualifying small organization can engage in regular or frequent processing and still be exempt from record-keeping, so long as it doesn’t meet other disqualifying criteria.
✅ Clarifying special data exemptions:
Currently, handling any special category data (e.g. health, ethnicity) would nullify the exemption. The proposal refines this. A new recital will clarify that processing special categories of personal data to comply with legal obligations in employment, social security, or social protection law (per Article 9(2)(b) GDPR) will not trigger the record-keeping requirement.
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a letter, addressed to the European Commission.
The EDPB and EDPS shared that, at this stage, they could express preliminary support to this targeted simplification initiative, bearing in mind that this would not affect the obligation of controllers and processors to comply with other GDPR obligations.
Nevertheless, the EDPB and EDPS asked the Commission to better evaluate the impact on the organisation subject to this change, to assess whether the draft proposal ensures a proportionate and fair balance between the protection of personal data and the interests of organisations with fewer than 500 employees.
What should companies do now?
📌 First, stay informed – the proposal is still in draft form, with a formal consultation to follow.
📌 We encourage businesses to review their data processing activities in light of these potential changes.
📌 However, it’s crucial to assess whether any of your processing might be considered “likely high risk” or involves special data beyond the narrow legal-obligation context.
But as always, compliance is not one-size-fits-all. Our experts are here to guide you through not only the latest updates of GDPR, but also a wide range of issues in regulatory compliance.
Let us help you turn regulatory change into strategic advantage.
For more detail on the regulators’ perspective, you can read the EDPB-EDPS joint letter (8 May 2025) to the Commission on this proposal here: https://www.edpb.europa.eu/news/news/2025/simplification-record-keeping-obligation-edpb-and-edps-adopt-letter-eu-commission_en
🔗 Contact us: https://www.eylaw.hu/en_hu/people/ivan-sefer
#GDPR #DataPrivacy #RegulatoryUpdate #EDPB #EDPS
Direct to your inbox
Sign up to our newsletter.
