European Union: European Data Protection Board and European Data Protection Supervisor issued opinion on European Commission’s Proposal amending General Data Protection Regulation as part of Simplification Omnibus Bill IV

On 9 July 2025, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) released Joint Opinion 01/2025 on the Proposal for a Regulation issued by the European Commission (EC) on 21 May 2025. The Proposal introduces simplification measures for small and medium-sized enterprises (SMEs) and small mid-cap enterprises (SMCs), particularly concerning the record-keeping obligation under Article 30(5) of Regulation (EU) 2016/679 (General Data Protection Regulation/GDPR). The aim is to amend the GDPR by extending the derogation from the requirement to maintain a record of processing activities to enterprises and organisations employing fewer than 750 persons, unless the processing is likely to result in a high risk to data subjects’ rights and freedoms. The Proposal also introduces definitions of SME and SMC into Article 4 GDPR and expands Articles 40(1) and 42(1) GDPR to include SMCs for the purposes of codes of conduct and certification mechanisms. The EDPB and EDPS welcomed the introduction of these definitions and the expansion of Articles 40(1) and 42(1). Their Opinion underscores that records of processing activities remain an essential instrument for demonstrating compliance, supporting risk assessment, facilitating the exercise of data subject rights, and implementing safeguards in innovative processing contexts. They recommend amending Article 30(5) GDPR to refer explicitly to SMEs and SMCs and clarifying in the recitals that the term “organisation” excludes public authorities and bodies. They further highlighted that any simplification under the GDPR must be necessary, proportionate, and not undermine the fundamental right to data protection under the Charter of Fundamental Rights of the European Union (CFR).