The European Commission has published its proposal for a new regulation simplifying the EU General Data Protection Regulation (“GDPR”) requirements for small mid-cap enterprises (“the Proposal“). The Proposal forms part of the European Commission’s Omnibus IV Simplification Package and comes after the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) recently adopted a joint letter, addressed to the European Commission, expressing preliminary support for the proposal to simplify record-keeping obligations under the GDPR.
Currently, under Article 30 GDPR, the requirement to maintain records of processing does not apply where an organisation has fewer than 250 employees, unless the data processing in question is likely to result in “a risk” to the rights and freedoms of data subjects, the processing is not occasional or the processing includes special categories of data or criminal conviction and offensive data. The European Commission’s Proposal aims to “reduce administrative burden” on small mid-cap enterprises (“SMCs“), by including targeted changes which extend these current SME derogations to SMCs.
Summary of key proposals:
- The Proposal amends the GDPR, by extending the derogation on the obligation to maintain records of processing to ‘SMCs’, which are defined as organisations with fewer than 750 employees, a total balance sheet not exceeding EUR129m and an annual net turnover not exceeding EUR150m. The European Commission aims to extend the derogation to those organisations that have outgrown theSME definition. However, since various EU legislations already have different classifications, this new definition could add further complexity.For example, to be considered in scope for NIS2, an entity must meet or exceed the ceilings for “medium-sized enterprises” – defined as enterprises “which employ fewer than 250 personsandwhich have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million”.
- The derogation will apply unless an organisation carries out processing activities that are likely to result in a high risk to the rights and freedoms of individuals or where special category data is processed.
- The Proposal includes a requirement that the specific needs of SMCs must be taken into account when the Member States, supervisory authorities, the Board, and the Commission draft codes of conduct and when certification bodies or competent supervisory authorities establish data protection certification mechanisms and data protection seals and marks.
Although there has been much anticipation over the proposals to simplify the GDPR, the amendments included in the current Proposal are more limited and targeted than first anticipated. In practice, many companies who may fall within the size definition of ‘SMCs’ will still be required to adhere to record-keeping obligations because of the nature of their data processing. In addition, the real administrative burden, mapping processing activities and carrying out DPIAs, will still be required, not only to assess whether processing activities “are likely to result in a high risk to the rights and freedoms of individuals“, but also to comply with other obligations within the GDPR.
There was some expectation that simplification would include standard records of processing for the most common processing activities, which would then relieve compliant companies of other obligations (such as legitimate interest assessments). In the UK, the previous Data Protection and Digital Information (No.2) Bill (“DPDI Bill“) went some way towards this, narrowing the requirement to maintain records of processing and introducing recognised legitimate interests. Although the amendments in theDPDI Bill in relation to records of processing were not carried across to the new UKData (Use and Access) Bill (“DUAB“), the DUAB has helpfully maintained the concept of ‘recognised legitimate interests’ to provide a presumption of legitimacy to certain processing activities that a controller may wish to carry out under Article 6(1)(f) (legitimate interests).
The Proposal will now be subject to the EU’s legislative procedure and may be further amended by the European Parliament or the Council.
