The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have issued a Joint Opinion on the European Commission’s proposal for a Regulation amending certain regulations, including the GDPR.
The GDPR amendments are part of the fourth simplification Omnibus. The Omnibus aims to simplify EU rules and reduce administrative burden, extending certain mitigating measures available for small and medium sized enterprises (SMEs) to small mid-cap enterprises (SMCs), and includes further simplification measures.
Among other things, the Commission’s proposal aims to modify Article 30 (5) of the GDPR, providing a derogation to the obligation to keep a record of data processing operations. Currently, this derogation only applies to enterprises and organisation under 250 employees, except in certain cases. Under the proposal, the derogation would apply to an enterprise or organisation employing fewer than 750 people, unless the processing operation carried out is likely to result in a high risk to individuals’ rights and freedoms under Article 35 of the GDPR.
In addition, the proposal introduces a definition of SME and SMC in Article 4 of the GDPR and extends the scope of Articles 40 (1) and 42 (1) of the GDPR to the SMCs, which refer to codes of conduct and certification. These tools are currently designed to help enterprises and organisations demonstrate compliance with the GDPR focusing on the specific needs of SMEs.
As the proposal has an impact on legislation in other policy areas, the EDPB and the EDPS expect further clarifications on why the new threshold of enterprises or organisations employing fewer than 750 persons would be more appropriate under the GDPR, rather than the threshold of 500 employees initially considered. In addition, the new exemption in Article 30 (5) refers to ‘enterprises employing fewer than 750 employees’ without referring to the newly introduced definitions of SME and SMC, which also includes financial criteria. To ensure that the exemption will benefit SMEs and SMCs, the EDPB and the EDPS’s Joint Opinion recommends referring to the newly introduced definitions of SME and SMC.
The EDPB and EDPS also ask the co-legislators to clarify in the proposal that the term ‘organisation’, falling within the scope of the proposed derogation under Article 30 (5) of the GDPR, does not include public authorities and bodies.
