EU proposes exemptions to GDPR record-keeping provisions



The EU Commission is proposing that SMEs, SMCs* and organisations with fewer than 750 employees will be required to maintain records only when the processing of personal data is “high risk” under the GDPR. The proposals on simplification measures for EU businesses, issued yesterday, do not include the procedural rules for GDPR cross-border cases which are still being negotiated.

Speaking at the CPDP conference in Brussels today on Emerging patterns in EU Digital Regulation, Karolina Mojzesowicz, Deputy Head of Unit responsible for data protection at the European Commission, said that the EU Commission wants to achieve consistency across the EU digital package. Cooperation between the enforcement authorities needs to be enhanced to exchange views on the understanding of the different concepts. She noted that even when a consistent view can be found, authorities sometimes pursue different objectives at national level.

Commenting on the EU's aims for simplification and better competitiveness, she said that probably no-one would want to move from the risk-based approach. "Legal certainty will be achieved by flexible guidelines that can be readjusted if needed," she said.

Anu Talus, Chair of the European Data Protection Board (EDPB), highlighted effective cooperation between the Data Protection Authorities (DPAs) and said that as the new EU digital laws build on the GDPR, it often needs to be taken into account when assessing compliance with the other digital laws. The EDPB recommends that the DPAs should play a prominent role in enforcing the AI Act as most AI systems process personal data. This would ensure legislative certainty for all stakeholders, Talus said.

The EDPB is now working with the EU Commission on guidance about the interplay between EU Digital Markets Act and the GDPR, and the EU AI Act and the GDPR.

The panel session was chaired by Nora Ni Loideain, Director, Institute of Advanced Legal Studies, University of London.

An EDPB speaker will address the EU’s GDPR simplification agenda and related issues at PL&B’s 38th International Conference in Cambridge 7-9 July.

See:

*The European Commission is identifying a new category of companies, small mid-caps (SMCs), i.e. companies with fewer than 750 employees; and either up to €150 million in turnover or up to €129 million in total assets.