The European Commission has put forward a proposal to amend the GDPR, primarily to relieve the burden on small and medium-sized enterprises (SMEs). In a joint statement dated 9 July 2025, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) endorsed this proposal.
The core of the proposal is to reduce documentation obligations under art. 30 GDPR. In the future, businesses with fewer than 750 employees would be exempt from the requirement to maintain a record of processing activities, provided they do not process sensitive personal data and the processing does not pose a high risk to the rights of data subjects. Previously, this exemption only applied to businesses with fewer than 250 employees.
While the EDPB and EDPS generally support the initiative as a measure to reduce bureaucratic burdens, they also call for more precise regulations. One point of criticism is that the proposal fails to provide a solid basis for the new threshold of 750 employees. They also insist that any reform must safeguard the fundamental rights of data subjects and preserve core GDPR obligations.
Implications for businesses: The proposal could provide relief for SMEs by reducing documentation requirements. However, the obligations under art. 30 GDPR would remain if sensitive personal data is processed or if the processing poses a high risk to the data subjects. It will therefore be crucial to look at one’s own processing activities and to carefully assess the level of risk. We will continue to follow the legislative process to stay ahead of any resulting changes.
(Dr. Lukas Mezger, UNVERZAGT Rechtsanwälte)