GDPR relaxes record-keeping for companies under 750 employees

Data protection authorities support simplification with risk-based requirements

The European Data Protection Board and European Data Protection Supervisor endorsed limited modifications to data protection requirements on July 8, 2025, while requesting additional justification for expanded business eligibility criteria. According to the EDPB-EDPS Joint Opinion 01/2025, the proposal would eliminate mandatory record-keeping obligations for enterprises employing fewer than 750 persons unless their processing activities pose high risks to individual rights.

On May 21, 2025, the European Commission issued a Proposal for a Regulation amending the General Data Protection Regulation as part of the fourth simplification Omnibus initiative. The measure targets small and medium-sized enterprises and introduces coverage for small mid-cap enterprises with specific revenue thresholds. Currently, Article 30(5) GDPR exempts organizations with fewer than 250 employees from maintaining processing records, provided their activities remain occasional and exclude special categories of personal data.

The proposed revision would increase the employee threshold to 750 while introducing a risk-based assessment standard. According to the opinion, "the record-keeping obligation would not apply to an enterprise or organisation employing fewer than 750 persons unless the processing it carries out is likely to result in a high risk to data subjects' rights and freedoms, within the meaning of Article 35 GDPR."

Summary

Who: The European Data Protection Board and European Data Protection Supervisor issued a joint opinion regarding the European Commission's proposal to simplify GDPR record-keeping obligations for small and medium-sized enterprises and small mid-cap companies.

What: The proposal would increase the employee threshold for GDPR record-keeping exemptions from 250 to 750 employees while introducing risk-based assessment criteria. Organizations would remain exempt from maintaining processing records unless their activities pose high risks to individual rights and freedoms.

When: The European Commission published the proposal on May 21, 2025, with the EDPB-EDPS joint opinion adopted on July 8, 2025, and announced publicly on July 9, 2025.

Where: The proposal affects all European Union member states and organizations processing personal data within EU jurisdiction, with particular impact on small and medium-sized businesses across the single market.

Why: The initiative aims to reduce administrative burdens on smaller businesses while maintaining fundamental data protection standards. The authorities support simplification efforts provided they preserve individual privacy rights and maintain proportionate compliance frameworks for different organizational scales.

Technical specifications and compliance framework

Organizations qualifying for the derogation must conduct risk assessments to determine whether their processing activities meet the high-risk threshold established in Article 35 GDPR. The assessment criteria mirror those required for data protection impact assessments, creating alignment between record-keeping obligations and existing compliance frameworks. Special categories of personal data covered under Articles 9 and 10 GDPR no longer automatically trigger record-keeping requirements but remain relevant factors in risk evaluations.

The Commission's proposal includes definitional changes affecting enterprise classification. Small mid-cap enterprises encompass organizations employing fewer than 750 persons with annual turnover not exceeding EUR 150 million or balance sheet totals below EUR 129 million. Traditional SME definitions follow existing Commission Recommendation 2003/361/EC standards, covering enterprises with fewer than 250 employees and specific financial criteria.

According to the legislative financial statement accompanying the proposal, approximately 38,000 small mid-cap companies would join the 26 million existing SMEs potentially eligible for the expanded derogation. The threshold adjustment may result in minimal compliance obligations for many Member States, where few controllers and processors exceed the 750-employee limit.

Regulatory concerns and recommendations

The data protection authorities highlighted several technical inconsistencies requiring legislative clarification. The proposal references "enterprises employing fewer than 750 persons" without incorporating newly introduced SME and SMC definitions that include financial criteria. According to the opinion, "the amendment to Article 30(5) GDPR would also apply to enterprises employing fewer than 750 employees, but which do not qualify as SMEs or SMCs due to their higher annual turnover or balance sheet total."

European Data Protection Supervisor Wojciech Wiewiorowski stated: "We support the general objective of the Proposal to reduce the administrative burden for SMEs and SMCs as long as this does not lower the protection of individuals' fundamental rights, in particular the rights to privacy and to the protection of personal data."

The authorities requested clarification regarding organizational scope, particularly concerning public authorities and bodies. While the proposal aims to reduce business administrative burdens, exempting public authorities from record-keeping obligations would conflict with their enhanced accountability responsibilities under GDPR Article 37, which mandates data protection officer appointments.

EDPB Chair Anu Talus emphasized practical implications: "The record of processing activities is a useful tool to support compliance with other duties, such as the one of transparency or to give effect to data subject rights. The simplification will offer greater flexibility to SMEs and SMCs to choose the most appropriate method to be compliant."

Processing categories and risk assessment

The opinion addresses specific processing scenarios that previously triggered automatic record-keeping requirements. Under current Article 30(5) GDPR, processing special categories of personal data or criminal conviction data necessitates record maintenance regardless of organizational size. The proposed revision eliminates these categorical requirements, substituting risk-based assessments.

Recital 10 of the proposal provides guidance for employment-related processing under Article 9(2)(b) GDPR. According to the authorities, processing for employment and social security purposes "would in principle not likely result in a high risk to data subjects" unless specific assessments indicate otherwise. However, systematic employee monitoring involving special data categories could constitute high-risk processing requiring continued record-keeping.

The authorities recommend legislative clarification ensuring consistent application across all processing activities. They propose specifying that "a record of processing would only be mandatory for those processing activities 'likely to result in a high risk'" rather than imposing blanket requirements when any single activity meets the risk threshold.

Implementation timeline and business impact

Organizations currently maintaining processing records under the 250-employee threshold would continue existing practices pending final legislative adoption. The proposal requires approval from the European Parliament and Council before implementation, with no specified effective date announced.

For qualifying organizations, the modification provides flexibility in compliance documentation approaches while maintaining obligations for transparency, data subject rights, and security measures. Controllers and processors remain subject to accountability principles under Article 5(2) GDPR regardless of record-keeping exemptions.

The authorities noted that initial Commission consultation occurred at 500 employees before revision to 750, requesting additional justification for the threshold increase. Implementation costs and fundamental rights impact assessments were absent from the proposal documentation, prompting regulatory concern about proportionality analysis.

Industry context and enforcement trends

The simplification initiative occurs amid heightened GDPR enforcement activity across European jurisdictions. Recent enforcement actions have targeted transparency failures, with Stockholm courts upholding €5.4 million penalties against Spotify for inadequate data access responses. Dutch authorities have established comprehensive AI guidance requiring lawful data sourcing for machine learning applications.

European privacy advocates continue challenging consent mechanisms and administrative enforcement gaps, particularly regarding "consent or pay" models that the EDPB determined violate GDPR standards. Marketing technology providers face increasing scrutiny over data collection practices, with authorities examining automated decision-making frameworks and targeted advertising compliance.

The proposal extends Articles 40(1) and 42(1) GDPR to small mid-cap enterprises, enabling their participation in codes of conduct and certification mechanisms. These voluntary compliance tools provide structured approaches for demonstrating GDPR adherence while addressing sector-specific requirements.

Practical compliance considerations

Organizations approaching the 750-employee threshold should evaluate current record-keeping practices and risk assessment capabilities. The transition requires understanding of Article 35 GDPR criteria for identifying high-risk processing activities, including large-scale special data categories, systematic monitoring, and automated decision-making with legal effects.

Data protection officers and compliance teams must prepare for risk-based documentation approaches replacing categorical requirements. While formal processing records may become optional for qualifying organizations, maintaining adequate documentation supports broader GDPR obligations including breach notification, data subject requests, and supervisory authority cooperation.

The authorities encourage continued voluntary record-keeping where beneficial for compliance demonstration. Processing records facilitate transparency policy development, data subject right fulfillment, and data protection impact assessments while supporting controller and processor relationship management.

Timeline

• May 6, 2025: European Commission sends preliminary consultation letter to EDPB and EDPS regarding proposed simplification measures
• May 8, 2025: EDPB and EDPS adopt joint response letter expressing preliminary support for targeted initiative
• May 21, 2025: European Commission publishes Proposal for Regulation amending GDPR and other regulations
• May 23, 2025: Commission sends corrigendum to original proposal (COM(2025) 502/2)
• July 8, 2025: EDPB and EDPS adopt Joint Opinion 01/2025 on the simplification proposal
• July 9, 2025: Public announcement of joint opinion supporting targeted modifications with clarification requests
• June 2025: EDPB adopts guidelines on data transfers to third-country authorities during plenary session
• Related: May 2024 German DPA AI guidelines establish framework for artificial intelligence data protection compliance