Article 30 of the General Data Protection Regulation (GDPR) may soon undergo significant changes, potentially resulting in its removal in its current form.
This article, which requires organizations to maintain detailed records of their data processing activities, is likely to be amended as part of broader legislative packages aimed at streamlining regulations—commonly referred to as “omnibus measures.”
Through these measures designed to simplify compliance, the European Commission has committed to reducing the administrative burden on businesses and organizations by at least 25% before the end of its current mandate. Two such initiatives have already been announced. One relaxes certain non-financial reporting obligations, including delaying the implementation of parts of the Corporate Sustainability Reporting Directive (CSRD), narrowing its scope, reducing due diligence requirements, and removing sector-specific standards. The second initiative applies a similar approach to the InvestEU and EFSI regulations, in an effort to promote strategic investments across the continent.
Currently, three additional legislative packages are on the agenda. These target sectors such as agriculture and defense, as well as a new category of entities known as “small mid-caps”—companies with between 250 and 500 employees.
The latest information indicates that a comprehensive omnibus proposal addressing these small mid-cap organizations is scheduled for announcement on May 21, 2025. This initiative is expected to include changes to the GDPR, as confirmed in mid-March by Michael McGrath, European Commissioner for Democracy, Justice and the Rule of Law.
Potential Exemption for Routine Data Processing Activities
An important amendment is also being considered for Paragraph 5 of Article 30. As it currently stands, this paragraph exempts data controllers with fewer than 250 employees from the obligation to keep a record of their data processing activities. The exemption applies unless such activities:
- Pose a risk to individuals’ rights and freedoms
- Are non-routine in nature
- Involve categories of data specified in Article 9(1), such as sensitive data, or data related to criminal convictions under Article 10
European policymakers propose raising the employee threshold to 500, subject to certain revenue limits. Additionally, they aim to relax the scope of this exemption by removing the exceptions requiring organizations to record non-routine processing activities or handle special categories of data.
This direction aligns with the views of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS). They recently sent a joint letter to Brussels, explicitly supporting the potential changes related to the threshold expansion. While they did not explicitly endorse the relaxation concerning the scope of activities, their reasoning suggests a tendency towards more permissive rules—particularly allowing exemptions in specific cases, such as when processing is necessary for legal obligations or the exercise of rights by data controllers or data subjects in employment, social security, or social protection contexts.
At this stage, both the EDPB and EDPS have expressed their “support” for the initiative. They recommend that further impact assessments be conducted, including estimates of how many organizations would benefit and how the proposed changes might affect the protection of personal data. They do welcome the retention of restrictions on exemptions when processing activities entail risk, emphasizing that high-risk processing should remain under stricter rules.
