Reading time: 4 minutes
The European Data Protection Board has published its report for 2024 (“Report“) again this year, setting out the fundamental goals of its strategy for the period up to 2027, one of them is to promote compliance with data protection rules. In May this year, the European Commission (“Commission“) submitted a proposal (“Proposal“) aimed at simplifying the GDPR in order to reduce the administrative burden on businesses, which was also welcomed by the European Data Protection Board. In this article, we summarize the main conclusions of the Report and future strategy of the European Data Protection Board, and address the Proposal aimed at easing the provisions of the GDPR.
The role of European Data Protection Board in the field of data protection
The European Data Protection Board’s mission and legal mandate is to ensure the consistent application of EU data protection rules and to promote effective cooperation between data protection authorities in the European Economic Area (EEA). Its responsibilities include ensuring the harmonised enforcement of the GDPR, examining issues relating to the application of the regulation, and issuing guidelines, recommendations and best practices to promote the harmonised enforcement and reviewing their application where appropriate.
Key findings of the Report
The European Data Protection Board may examine and issue an opinion on any matter of general application or having implications in more than one Member State, at the request of any supervisory authority, the Chair of the European Data Protection Board, or the European Commission. According to its latest Report in 2024, the European Data Protection Board adopted eight such consistency opinions, including on “pay or consent” models and the use of personal data to train artificial intelligence models.
The European Data Protection Board also continued its active dialogue with data subjects and organizations involved in data processing, which resulted in the publication of articulate factsheets. The Report also provides a detailed description of the measures taken by various national data protection authorities.
The European Data Protection Board continues its activities this year, adopting new guidelines on pseudonymization, which we discussed in this article. The European Data Protection Board announces coordinated enforcement actions every year. In 2024, it focused on the right of access, while in 2025, it plans to review the enforcement of the right to erasure, as reported in this article.
Strategy for the period between 2024-2027
In its strategy for the period 2024–2027, the European Data Protection Board has set out four main pillars of objectives.
- promoting consistent application of data protection rules and compliance,
- strengthening international cooperation between data protection authorities,
- ensuring data protection in an emerging digital environment covering multiple regulatory areas (e.g., artificial intelligence),
- support for global dialogue on privacy and data protection issues.
The European Data Protection Board also confirmed that it intends to continue to play an active role in shaping the regulatory environment for small and medium-sized enterprises („SME”). In addition, it has set as a priority to help SMEs comply with the law through specific tools and to contribute to raising public awareness of the importance of data protection rights.
Proposal to simplify the GDPR
The Commission pointed out that the complexity of EU legislation hinders market entry and limits growth potential. In order to achieve the objective, set out in the report, in May 2025 it published its fourth so called omnibus package, in which the Commission proposed amendments to various EU rules, including those relating to GDPR rules on record keeping obligation.
According to the GDPR the record of processing activities currently is a fundamental tool for data controllers and processors to identify and document their data processing activities. For illustrative purposes only, we mention that such elements which shall be recorded include the purpose of data processing, the categories of data subjects and recipients, the retention period, and, where applicable, the transfer of data to third countries.
According to the applicable regulation, data controllers and data processors are only exempt from the obligation to maintain their record of processing activities if they employ fewer than 250 persons. However, this derogation shall not apply where the processing is likely to result in a risk to the rights and freedoms of data subjects; the processing is not occasional; or the processing concerns special categories of data or personal data relating to criminal convictions and offenses. Due to the subjective nature of the list, we recommend that companies striving for compliance keep records in all cases in order to minimize risks.
At the same time, the Commission recognized that even with a threshold of 250 employees, there were very few cases in which companies were exempt from the record keeping requirement. Therefore, according to the Proposal, in the future, companies that employ fewer than 750 employees and whose turnover does not exceed EUR 150 million or whose total assets do not exceed EUR 129 million will not be required to keep records. Data processing activities that are expected to impose a high risk on data subjects, such as employees or customers, would be excluded from this exemption. However, in this case too, the company’s record keeping obligation would only cover this high-risk activity.
The Commission estimates that this measure would exempt around 38,000 businesses in the EU from the registration requirement and reduce the administrative burden on businesses by around EUR 400 million per year.
The European Data Protection Board expressed its endorsement of the Proposal. At the same time, it also made data controllers aware of the fact that keeping records of data processing activities not only makes it possible to comply with the regulations but also serves as a useful tool for meeting other GDPR requirements.
In summary, it is clear that companies are still expected to:
- have up-to-date information regarding their data processing;
- ensure transparency in data processing and to take data processing considerations into account when designing their processes.
- consciously consider what documentation obligations they have;
- to enforce the stricter regulations in key areas.
Image source: pexels.com, Marco