Simplification of record-keeping obligations under the GDPR is on the way

The European Commission is suggesting different changes to simplify the record-keeping obligations under the GDPR. The changes are planned to be part of the so-called “Fourth Omnibus”, which aims to reduce administrative burdens and enhance competitiveness for small and medium-sized companies.

Simply put, the European Commission is suggesting four different changes:

• Extension of the exception to the record-keeping obligation by expanding the employee threshold trigger from 250 employees to 500 employees
• Modification of the exception so that the employee threshold cannot be used if the processing is likely to result in a “risk” by changing the trigger to be a “high risk”
• Removal of the condition that processing that is “not occasional” triggers record-keeping obligations, so that the frequency of the processing no longer plays a role
• Removal of the record-keeping obligation for processing special data categories to comply with legal obligations in the field of employment, among other fields.

The proposed changes will not otherwise affect other GDPR obligations.

IUNO’s opinion

Many companies are still struggling with the administrative burdens of ensuring GDPR compliance. That said, considering the limited scope, the proposed changes will only offer limited relief. It is also possible that the proposal will be subject to further changes before final adoption.  

At IUNO, we consider that while the proposed changes may carve out some processing activities, most processing operations within HR or that occur using AI will still qualify as “high risk”. That means that such processing operations will trigger the record-keeping obligation in any case. For that reason, most companies will still be subject to record-keeping obligations.

[Letter from the EDPB and EDPS to the European Commission of 8 May 2025]