European privacy watchdogs adopt letter of easing GDPR record-keeping rules

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have expressed preliminary support for a European Commission proposal to exempt organisations with fewer than 500 employees from certain record-keeping obligations under the General Data Protection Regulation (GDPR). This move, outlined in a joint letter sent to the Commission on 8 May 2025, aims to reduce administrative burdens on small and medium-sized enterprises (SMEs) while preserving core data protection principles.

Background:

The GDPR’s Article 30 currently requires most organisations to maintain detailed records of data processing activities, including categories of personal data, purposes of processing, and security measures. Under Article 30(5), exemptions exist for SMEs with fewer than 250 employees, but only if their data processing is occasional, non-high-risk, and does not involve sensitive data.

The Commission’s draft proposal, disclosed earlier in 2025, seeks to expand this exemption by raising the employee threshold to 500 and removing the ‘occasional processing’ condition. This change would relieve approximately 90% of EU businesses from mandatory record-keeping, allowing them to focus resources on operational compliance measures like breach notifications and data subject rights.

EDPB and EDPS Position:

In their letter, the watchdogs acknowledged the potential benefits of simplification but emphasised that any exemption must:

1. Avoid undermining accountability: SMEs would still need to comply with other GDPR obligations, such as conducting Data Protection Impact Assessments (DPIAs) for high-risk processing.
2. Maintain proportionality: The Commission must demonstrate that the 500-employee threshold balances reduced burdens with adequate safeguards for data subjects.
3. Prevent fragmentation: National data protection authorities (DPAs) should retain discretion to require records if risks emerge.

The watchdogs also called for an impact assessment to evaluate how the change affects micro-enterprises versus mid-sized firms and whether sector-specific risks (e.g. healthcare or fintech) warrant tailored rules.

What are the implications?

SMEs spend an average of €2,100–€5,800 annually on GDPR compliance (although exact numbers can vary based on several factors), with record-keeping accounting for 30% of these costs. By exempting smaller firms, the EU aims to:

• Free up resources for cybersecurity investments.
• Accelerate digital transformation in sectors like retail and manufacturing.
• Encourage startups to scale without preemptive compliance overhead.

What do the critics say?

Critics warn that simplified rules could create gaps in oversight. For example:

• Supply chain risks: Large corporations might pressure exempted SMEs to self-certify compliance without audits.
• Cross-border complexity: A German SME processing data for French clients could face conflicting national interpretations.

Next steps:

The Commission will publish its formal legislative proposal by 21 May 2025, followed by a consultation period with stakeholders. The amendment is part of a wider ‘Digital Package‘ to streamline EU regulations, including the Data Governance Act and Cybersecurity Act.

Notably, the proposal aligns with Commission President Ursula von der Leyen’s pledge to cut red tape by 25% across digital policies, positioning the EU as a more agile competitor against the US and China. However, civil society groups like NOYB have cautioned against diluting GDPR’s accountability framework, urging safeguards to prevent misuse of the exemption.

Conclusion:

While the proposed exemption promises economic relief, its success hinges on precise drafting to prevent loopholes and ensure consistent enforcement. As the Commission finalises its proposal, businesses should prepare for a hybrid compliance landscape- one that rewards operational efficiency without compromising the GDPR’s foundational commitment to privacy.