On 21 May 2025, the European Commission presented a proposal to amend the General Data Protection Regulation (GDPR), which is intended to reduce the burden on companies with fewer than 750 employees. While the aim of reducing red tape has been met with approval, many non-governmental organisations and data protection experts see the risk of central data protection mechanisms being undermined.
Key points of the GDPR reform proposal
The reform proposal (available as a PDF) aims to amend the content of three GDPR articles in addition to adding new definitions. The focus is on simplifications for SMEs and so-called small mid-cap enterprises, which in terms of size lie between traditional SMEs and large companies. In the future, such companies should also benefit from simplifications.
The material changes relate to two areas:
Records of processing activities (ROPAs)
Art. 30 GDPR, which regulates the obligation to keep a record of processing activities, is to be amended: Companies with fewer than 750 employees are to be exempt from the obligation to keep a record of processing activities – unless the specific data processing activity is likely to result in a high risk for data subjects within the meaning of Art. 35 GDPR. This would significantly relieve many organisations of one of the central documentation obligations of the GDPR.
Greater consideration of smaller companies in codes of conduct and certifications
Art. 40 and 42 GDPR, which govern codes of conduct and certifications, are to be amended so that the special needs of small mid-cap enterprises are explicitly taken into account when developing codes of conduct and data protection certifications.
Criticism: Does the GDPR mean opening Pandora’s box?
Numerous non-governmental organisations and data protection experts, such as the 108 signatories of the EDRi letter to the European Commission, have spoken out against the reform of the GDPR. They fear that the reform could undermine key data protection principles such as accountability, and weaken the regulation’s risk-based approach.
Instead of deregulation, critics are calling for consistent enforcement of existing rules and targeted support for smaller players in order to guarantee the protection of fundamental rights in the digital space.
The concerns are not unfounded from two perspectives:
- On the one hand, the initial GPDR legislative process has demonstrated that hardly any other topic can attract more stakeholders. These could now feel addressed by the open Pandora’s box.
- On the other hand, records of processing activities form a basis for all other data protection compliance efforts by companies. It is questionable how companies can fulfil their other data protection obligations without this clear overview of all the processing activities they carry out (see below).
Open questions from data protection experts’ perspective
From our perspective as data protection experts, several questions remain unanswered with regard to the Commission’s proposal for the GDPR reform:
According to the reform proposal, companies with fewer than 750 employees would still have to keep records of processing activities for those processing activities that are likely to pose a high risk to the data subjects. The question arises as to how companies would determine this. This will still require an assessment of all processing activities. In light of the accountability principle enshrined in Art. 5(2) GDPR, it is reasonable to assume that such an assessment should be documented. Consequently, companies will be relieved from certain bureaucratic obligations, but not to the extent that one would initially assume.
Records of processing activities also provide a basis for all other data protection endeavors. This is particularly relevant if a company wishes to rely on its legitimate interest as a legal basis for processing. In such a case, according to Art. 13 et seq. GDPR, it must inform data subjects about the specific legitimate interest it wishes to pursue. Furthermore, according to the SNCF Connect judgement of the Court of Justice of the European Union, data controllers can only rely on a legitimate interest as a legal basis if they informed data subjects of this interest at the time of data collection.
However, if companies do not keep records of processing activities, the question arises as to how they are supposed to keep track of all the legitimate interests they are pursuing. This is an essential step: If they overlook any, they risk not only lacking a valid legal basis for processing, but also failing to fulfil their information obligations adequately.
Conclusion and outlook
With the reform proposal, the European Commission is pursuing its latest strategy of reviewing the legal framework in the EU and cautious deregulation. This was triggered by the changed framework conditions in the global trade.
While some organisations are opposing to the GDPR reform, it can be assumed that companies were hoping for a more far-reaching red tape reduction.
Experts still recalling the legislative process surrounding the introduction of the GDPR will remember that hardly any other EU legislative process has seen so much lobbying. It is unlikely to be any different this time round. At this point in time, it therefore remains unclear in what form and when the GDPR reform will ultimately be adopted.
