The European Commission wants to amend the General Data Protection Regulation (AVG) with a new proposal aimed at easing the administrative burden on smaller companies. The European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) broadly support this direction, but also warn of potential ambiguities and risks.
The proposal is part of a broader round of reforms - known as the Fourth Omnibus Round - that seeks to simplify EU legislation. Central to the proposed amendment is the extension of an existing exemption from the duty to document processing activities set forth in Article 30(5) of the AVG.
That obligation requires organizations to keep an internal record of what personal data they process, for what purpose, how long they keep it and with whom it is shared. Such a register helps demonstrate compliance with the AVG and allows for oversight. Currently, that obligation only applies to organizations with 250 employees or more. The Commission wants to raise that limit to 750 employees, unless the processing poses a high risk to the rights of data subjects.
This measure aims to give more breathing space not only to small and medium-sized enterprises (SMEs or SMCs), but also to so-called small mid-cap companies (SMCs). In doing so, it introduces for the first time a definition of both SME and SMC in Article 4 of the AVG, and also adapts Articles 40 and 42 so that codes of conduct and certification mechanisms can now also apply to these SMCs.
According to Wojciech Wiewiórowski, the European Data Protection Supervisor, it is understandable that the Commission wants to support smaller companies, especially if it helps them comply with rules. At the same time, he stresses that such relaxations should not come at the expense of protecting fundamental rights, such as privacy. He is therefore positive that the proposed adjustment is limited to a specific administrative obligation and leaves the core principles of the AVG untouched.
Anu Talus, president of the EDPB, also sees the proposal as a welcome step. She emphasizes that the current exception was often not effective enough. At the same time, she says, tracking processing activities remains a valuable tool to meet transparency requirements and safeguard the rights of data subjects. Therefore, she sees the proposed relaxation as a way to give companies more freedom to choose appropriate means of compliance without jettisoning essential obligations.
Still, the regulators have some critical comments. For example, they wonder why a threshold of 750 employees was chosen, whereas 500 was previously considered. They also find it strange that the exemption speaks of "enterprises with less than 750 employees," but does not refer to the new definitions of SME and SMC - which use financial criteria in addition to employee size. To prevent the exemption from being applied more broadly than intended, the EDPS and EDPB advocate that these definitions be explicitly followed.
Finally, the regulators want clarity on whether the exemption also applies to public organizations. In their joint opinion, they argue that the Commission should make explicit that public authorities and institutions are excluded from the exemption.
In the coming months, the co-legislators - the European Parliament and the Council - will consider the proposal. It is clear that the quest for simplification and burden reduction must not lead to the dilution of personal data protection. As the EDPS and EDPB put it: simplicity is welcome, but not at the expense of fundamental rights.
