EDPB, EDPS Approve EC Plan Simplifying GDPR Data-Processing Reporting
A European Commission proposal to ease some reporting requirements under the General Data Protection Regulation (GDPR) won backing from the EU's top privacy bodies Wednesday. They cautioned, however, that the amended rules must not result in reduced protection for individuals.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The GDPR revamp is part of the EC's fourth simplification package aimed at boosting Europe's single market by cutting red tape for small and mid-sized companies (SMEs) and small-cap enterprises (SMCs). The EC defines SMCs as organizations which aren't SMEs, employ fewer than 750 people and have an annual revenue not exceeding 150 million euros ($176 million) (see 2505210007).
In a Wednesday opinion, the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) backed the general objective of the proposal.
They noted that the proposed modifications aimed at simplifying and clarifying the requirement to keep records of personal data processing "are targeted and limited in nature and do not affect the core principles and other obligations" under the regulation.
The privacy watchdogs stressed, however, that simplification of the GDPR must be proportionate, balanced and based on necessity. In addition, they questioned why the EC hadn't conducted an assessment of the impact of the changes on data-protection rights.
The watchdogs urged the European Parliament and Council to clarify in the final legislation that records would only be mandatory for data-protection activities likely to result in a high risk. They asked the EC to explain why the new threshold of organizations and enterprises employing fewer than 750 people is appropriate specifically in the case of the GDPR.
The EDPB and EDPS also recommended that Parliament and Council make clear that the term "organization" covered by the amended GDPR doesn't include public authorities and bodies.
Denmark, which assumed the EU Presidency July 1, said the simplification package and GDPR tweaks are key priorities for its six-month term (see 2507010005).
Separately, the EC launched surveys Tuesday to evaluate the Free Flow of Non-Personal Data Regulation, Open Data Directive, and Data Governance Act. The assessment will feed into future improvements to EU data legislation, it said. Comments are due July 25.