Home

Internal

Global

Contact

de|en|it

Rödl & Partner Italy advises LCF Alliance on 95 million financing with Societe Generale and BayernLB |

Worldwide

We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.

Simplification of record-keeping responsibility under the GDPR

published on 22 July 2025 | reading time approx. 3 minutes

On 21st of May 2025, the European Commission issued a proposal to amend multiple regulations (the Proposal), including the General Data Protection Regulation (GDPR), to reduce the administrative burden placed on small and medium sized enterprises (SME) and small mid-cap enterprises (SMC), by simplifying their record-keeping obligations. Following this, on 9th of July of 2025, the European Data Protection Board (EDPB), and the European Data Protection Supervisor (EDPS) adopted a joint opinion of this Proposal (the Opinion). Both institutions supported the aim of reducing administrative burdens, provided that the changes do not weaken the fundamental right to personal data protection. The simplifications would only apply to enterprises meeting the relevant requirements and not engaging in personal data processing likely to result in a high risk to individuals’ rights and freedoms.

Currently, Article 30(5) GDPR requires enterprises with fewer than 250 employees to maintain records of processing activities when handling special categories of personal data under Articles 9(1) or 10 GDPR, due to the potential high-risk nature of such processing. The Proposal offers an alternative, removal of current Article 30(5) in favour of risk-based approach where the duty to keep records would only apply if the processing were likely to result in high-risk, regardless of the type of data processed. The Proposal also raises the employee threshold for the exemption under this article from 250 to 750 employees.

EDPB and EDPS brought up multiple concerns, however, supported the change if it is aligned with GDPR principles and if a point is made to highlight that record-keeping remains a valuable tool for ensuring compliance. They emphasized that organizations should continue using appropriate methods to demonstrate GDPR compliance and to safeguard data subjects’ rights, even if exempt from mandatory record-keeping under the proposed changes. Such an amendment would exempt 38,000 SMCs in addition to the 26 million SMEs from record-keeping duty based on their size.

In Latvia, the simplification of record-keeping is widely regarded as a step in the right direction. This aligns with one of the government’s key priorities – reducing bureaucratic burdens for businesses. Given that many Latvian companies fall under the 750-employee threshold, the proposed amendments to data processing regulations offer tangible benefits. While companies involved in high-risk data processing (such as handling health data, customer profiling, or large-scale data matching) may still face stricter obligations, those not engaged in such activities stand to gain significantly from the streamlined requirements. This approach supports a more efficient and innovation-friendly business environment, particularly for the country’s numerous SMEs.

DATA PROTECTION BITES

Read all releases »

AUTHOR

Contact Person Picture

Staņislavs Sviderskis

Assistant Attorney at law, Cyber & Information Security Expert

Senior Associate

+371 6733 8125

Send inquiry

RÖDL & PARTNER LATVIA

Discover more about our offices in Latvia.