Brussels, 9 July 2025 - The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) issued today a Joint Opinion on the European Commission’s Proposal for a Regulation amending certain regulations, including the GDPR. 

The Proposal, part of the fourth simplification Omnibus, aims to simplify EU rules and reduce administrative burden, extending certain mitigating measures available for small and medium sized enterprises (SMEs) to small mid-cap enterprises (SMCs), and includes further simplification measures.  

The Proposal aims to modify Art.30 (5) GDPR, providing a derogation to the obligation to keep a record of data processing operations. Currently, this derogation only applies to enterprises and organisation under 250 employees, except in certain cases. Under the Proposal, the derogation would apply to an enterprise or organisation employing fewer than 750 people, unless the processing operation carried out is likely to result in a high risk to individuals’ rights and freedoms, within the meaning of Art.35 GDPR. 

In addition, the Proposal introduces a definition of SME and SMC in Art.4 GDPR and extends the scope of Art.40 (1) and 42 (1) GDPR to the SMCs, which refer to codes of conduct and certification. These tools are currently designed to help enterprises and organisations demonstrate compliance with the GDPR focusing on the specific needs of SMEs. 

Wojciech Wiewiórowski, EDPS, said: “We support the general objective of the Proposal to reduce the administrative burden for SMEs and SMCs as long as this does not lower the protection of individuals’ fundamental rights, in particular the rights to privacy and to the protection of personal data. To this end, we welcome that the proposed modifications to simplify and clarify the obligation to keep a record of processing are targeted and limited in nature, and do not affect the core principles and other obligations under the GDPR.”  

Anu Talus, EDPB Chair, said: “The EDPB supports the Proposal’s general objective to reduce the administrative burden for SMEs and SMCs and to ensure that, in practice, they can enjoy a derogation from the duty to keep records of processing activities. The current derogation did not always achieve its goal. At the same time, the record of processing activities is a useful tool to support compliance with other duties, such as the one of transparency or to give effect to data subject rights. The simplification will offer greater flexibility to SMEs and SMCs to choose the most appropriate method to be compliant.”

As regard the organisations being subject to the derogation, considering that the Proposal impacts legislation in other policy areas, the EDPB and the EDPS expect further clarifications on why the new threshold of enterprises or organisations employing fewer than 750 persons would be more appropriate under the GDPR, rather than the threshold of 500 employees initially considered. In addition, the new exemption in Art. 30 (5) refers to ‘enterprises employing fewer than 750 employees’ without referring to the newly introduced definitions of SME and SMC, which also includes financial criteria. In order to ensure that the exemption will benefit SMEs and SMCs, the EDPB and the EDPS’s Joint Opinion recommends referring to the newly introduced definitions of SME and SMC. 

The EDPB and EDPS also ask the co-legislators to clarify in the Proposal that the term ‘organisation’, falling within the scope of the proposed derogation under Art.30 (5) GDPR, does not include public authorities and bodies.  
 

EDPS and EDPB a Joint Opinion on the European Commission’s Proposal for a Regulation amending certain regulations, including the GDPR.

Read Press Release

Read Joint Opinion 

A fundamental rights approach to innovation and competitiveness

Helsinki, 3 July 2025 – At a high-level meeting in Helsinki on 1–2 July 2025, the European Data Protection Board (EDPB) adopted a landmark Statement on enhanced clarity, support and engagement.

The Statement outlines new initiatives to make GDPR compliance easier, in particular for micro, small and medium organisations, strengthen consistency and boost cross-regulatory cooperation. 

EDPB Chair Anu Talus said: “The EDPB aims to ensure that compliance with the GDPR can be more easily achieved. By placing fundamental rights into the core of their digital transformation, organisations can ensure that technological advancements and the respect for European values go hand in hand, ultimately building a stronger and more resilient digital economy.”

Across its efforts, the EDPB will strengthen its dialogue with stakeholders, holding proactive and early engagement to identify areas where further support and clarification is required, and providing the opportunity for stakeholders to flag possible inconsistencies and give feedback. The EDPB will publicly report on the main outcomes of the public consultations. 

The EDPB will launch a series of direct and practical resources to simplify GDPR application.

EDPB Chair Anu Talus said: “The EDPB is committed to helping organisations in achieving GDPR compliance with greater ease and efficiency. Through timely and concise guidance and ready-to-use tools, like a common data breach notification template, checklists, how-tos and FAQs, we will continue to make GDPR alignment achievable and accessible for all.”

Among the measures agreed upon to ensure consistent GDPR interpretation and enforcement across Europe, EDPB Members will make continuous efforts to align national and EDPB guidance. They will also develop common practices, methods, tools and common actions review guidelines to ensure their real-world effectiveness. The EDPB will also publish positions by DPAs on priority issues to help organisations understand and act on regulatory expectations.

The EDPB recognises the growing complexity of the digital regulatory landscape and has renewed its commitment to fostering structured cooperation with non-data protection regulators to address legal and practical challenges in cross-sectoral cases.
 

The EDPS - Data Protection Network meeting meets twice a year to discuss data protection priorities and practices in the digital world. 

Read Blogpost by EDPS Secretary General Leonardo Cervera Navas. 

EDPS presents a brand new episode of TechDispatch Talks, a series to help you understand new and emerging technologies, their opportunities but also privacy challenges. Now you can watch it or have a listen!

30 days of preserving privacy and data protection, what does that look like? Read our newsletter to find out. 

The post Interview with Louis-Marie Guérif on Piano’s European Data Protection Seal appeared first on Europrivacy Community.

EDPS and EDPB Trainees organised a conference to reflect and foster discussion on the digital rights of children.

Read the EDPS - EDPB trainees' blogpost.

Watch the recording. 

The EDPS TechDispatch provides factual descriptions of a new technology and its implication for personal data protection. Learn more about Federated Learning in this new edition.

Brussels, 05 June - During its latest plenary, the European Data Protection Board (EDPB) adopted the final version of its guidelines on Art.48 GDPR about data transfers to third country authorities, after public consultation. In addition, the Board presented two new Support Pool of Experts (SPE) projects providing training material on artificial intelligence and data protection. Finally, the Board discussed the European Commission’s request for a joint EDPB-EDPS opinion on the draft proposal on the simplification of record-keeping obligation under the GDPR. 

Data transfers to third country authorities 

Following public consultation, the EDPB has adopted the final version of the guidelines on data transfers to third country authorities. In its guidelines, the EDPB zooms in on Art. 48 GDPR and clarifies how organisations can best assess under which conditions they can lawfully respond to requests for a transfer of personal data from third country authorities (i.e. authorities from non-European countries).

The EDPB explains that judgements or decisions from third country authorities cannot automatically be recognised or enforced in Europe. As a general rule, an international agreement may provide for both a legal basis and a ground for transfer. In case there is no international agreement, or if the agreement does not provide for an appropriate legal basis or safeguards, other legal bases or other grounds for transfer could be considered, in exceptional circumstances and on a case by case basis.

The modifications introduced in the updated guidelines do not change their orientation, but they aim to provide further clarifications on different aspects that were brought up in the consultation. For example, the updated guidelines address the situation where the recipient of a request is a processor. In addition, they provide additional details regarding the situation where a mother company in a third country receives a request from that third country authority and then requests the personal data from its subsidiary in Europe. 

Upskilling and reskilling on AI and data protection

During its June’s plenary, the EDPB also presented two new Support Pool of Experts (SPE) projects*: Law & Compliance in AI Security and Data Protection and Fundamentals of Secure AI Systems with Personal Data. The two projects, which have been launched at the request of the Hellenic Data Protection Authority (HDPA), provide training material on AI and data protection.

The report “Law & Compliance in AI Security & Data Protection” is addressed to professionals with a legal focus like data protection officers (DPO) or privacy professionals.

The second report, “Fundamentals of Secure AI Systems with Personal Data”, is oriented toward professionals with a technical focus like cybersecurity professionals, developers or deployers of high-risk AI systems.

The main aim of these projects is to address the critical shortage of skills on AI and data protection, which is seen as a key obstacle to the use of privacy-friendly AI. The training material will help equip professionals with essential competences in AI and data protection to create a more favourable environment for the enforcement of data protection legislation.

The Board decided to publish both documents as PDF files. Taking into account the very fast evolution of AI, the EDPB also decided to launch a new innovative initiative as a one-year pilot project consisting of a modifiable community version of the reports. The EDPB will start working with the authors of both reports to import them in its Git repository** to allow, in a near future, any external contributor, with an account on this platform and under the condition of the Creative Commons Attribution-ShareAlike license, to propose changes or add comments to the documents.

Simplification of record-keeping obligation under the GDPR ***

Finally, the Board discussed the European Commission's request for a joint opinion by the EDPB and the European Data Protection Supervisor (EDPS) on its proposal to simplify the record-keeping obligations of small and medium-sized enterprises (SMEs), small mid-caps (SMCs) and organisations with fewer than 750 employees, amounting to a targeted amendment of Art. 30(5) GDPR. The EDPB and EDPS will issue their joint opinion on this matter within eight weeks. 

Note to editors:

* The Support Pool of Experts (SPE) is an initiative included in the EDPB strategy 2024-2027 to help Data Protection Authorities (DPAs) increase their capacity to enforce by developing common tools and giving them access to a wide pool of experts.  

As part of the SPE programme, the EDPB may commission experts to provide reports and tools on specific topics. The views expressed in the deliverables are those of their authors and they do not necessarily reflect the official position of the EDPB.

** The reports will be available in the following months on the repository page.

***On 8 May 2025, the EDPB and the EDPS adopted a letter, addressed to the European Commission, to share preliminary views on the Commission’s proposal on the simplification of record-keeping obligation under the GDPR.

On 3 June 2025, EDPS, BfDI and BayLfD organised a high-level debate to reflect on the EU's Digital Rulebook. The video recording of the debate is now available on:

Video highlights from the event.

Full recording

Learn more

Europrivacy and the European Centre for Certification and Privacy were delighted to participate at the Privacy Symposium conference in Venice, Italy during May 12-16, 2025. The conference brought together close to a thousand experts and authorities in data governance and regulation. The conference provided an opportunity to discuss the future of data protection certification and […]

The post Europrivacy at the Privacy Symposium appeared first on Europrivacy Community.

The EDPS published on 28 May 2025 an Opinion on the Proposal for a Regulation establishing a common system for the return of third-country nationalsstaying illegally in the EU.

The objective of the Proposal is to ensure the effective return and re-admission of third-country nationals illegally staying in the EU by providing Member States with simplified and common rules.

Read Press Release and Opinion 

We are excited to announce that a new Europrivacy European Data Protection Seal has been formally delivered to Centre d’accès sécurisé aux données (CASD) in a ceremony at the Privacy Symposium conference in Venice! CASD have successfully completed a Europrivacy certificate for a methodology of accessing various data, including personal data for statistical or research […]

The post New European Data Protection Seal for CASD appeared first on Europrivacy Community.

Background information

• Date of final decision: 15 May 2025
• National case
• Controller:  SOLOCAL MARKETING SERVICES
• Legal Reference(s): Article 7 (Conditions for consent), Article 6 (Lawfulness of processing)
• Decision: administrative fine and an order to cease electronic commercial prospecting in the absence of valid consent, together with a penalty of €10 000 per day overdue after a period of 9 months
• Key words: administrative fine, consent,  unsolicited communication

Summary of the Decision

Origin of the case  

As the French Supervisory Authority (SA) made commercial prospecting a priority topic for investigations in 2022, it focused on the practices of professionals in the sector, particularly those who resell data, including the many intermediaries in this ecosystem known as data brokers. The French SA carried out investigations on SOLOCAL MARKETING SERVICES which got prospect data mainly from data brokers, publishers of game contests and product testing sites (these actors are the first links in the chain, the primary collectors, who are responsible for collecting prospect data). SOLOCAL MARKETING SERVICES used this data to operate commercial prospecting by SMS or e-mail to individuals concerned, on behalf of its advertiser customer. It may also pass on some of this data to its customers, so that they can carry out their own commercial prospecting by telephone or post.

Key Findings 

Failure to comply with the obligation to obtain the consent of individuals to receive commercial prospecting by electronic means (Article L.34-5 of the French Post and Electronic Communications Code): The restricted committee considered that the misleading appearance of the forms used by data brokers made it impossible to obtain free and unambiguous consent, in compliance with the requirements of the GDPR, which would have formed the basis for the prospecting operations carried out by the company.
Failure to demonstrate that the data subject has consented to processing of his or her personal data (Article 7 of the GDPR): The company failed to provide the French SA with proof of consent from individuals whose data has been transferred to it by one of its main suppliers. As a result, the French SA was unable to examine the collection forms used by this supplier and, therefore, the validity of the consent of the data subjects.

Decision 

Based on the findings of the inspection, the restricted committee – the French SA body responsible for issuing sanctions – considered that the company had failed to comply with obligations under the French Post and Electronic Communications Code (CPCE) and the General Data Protection Regulation (GDPR) regarding the collection and proof of consent. 
It imposed on SOLOCAL MARKETING SERVICES: 

• a €900 000 fine which was made public; and
• an order to cease electronic commercial prospecting in the absence of valid consent, together with a penalty of €10 000 per day overdue after a period of 9 months. 

The amount of this fine takes into account the very large number of people concerned (several million), the company's historical position on the market, the financial benefit derived from the breaches, and the measures taken by the company to comply with some of its obligations since the checks were carried out.

For further information: 
•  Courtiers en données : sanction de 900 000 euros à l’encontre de la société SOLOCAL MARKETING SERVICES (French)
•  Data brokers: SOLOCAL MARKETING SERVICES fined €900,000 (English)
 

CPDP is back! Discover the EDPS involvement in this year's Conference on Computers, Privacy and Data Protection, taking place on May 21-23 in Brussels.

The EDPS will organise two panels on Artificial Intelligence and Data Protection. EDPS' experts will also participate as speakers in other panels and the Supervisor will deliver the conference's closing remarks.

In this issue, read about our trainees’ vision for Europe; our upcoming event on the future of data protection; current affairs on data protection law; our advice and tools for EU institutions, bodies, offices and agencies, and MORE! Read it here.

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a letter, addressed to the European Commission, on the upcoming proposal on the simplification of record-keeping obligation under the GDPR, amounting to a targeted amendment of Art. 30(5) GDPR.

The joint letter replies to the letter sent by the European Commission to the EDPB and the EDPS on 6 May 2025 where the Commission explained how it intends to introduce specific modifications to the GDPR. The EDPB and EDPS understand that a formal consultation will take place after the publication of the proposed legislative change.

The EDPB and EDPS shared that, at this stage, they could express preliminary support to this targeted simplification initiative, bearing in mind that this would not affect the obligation of controllers and processors to comply with other GDPR obligations. Nevertheless, the EDPB and EDPS asked the Commission to better evaluate the impact on the organisation subject to this change, to assess whether the draft proposal ensure a proportionate and fair balance between the protection of personal data and the interests of organisations with less than 500 employees.

Full letter here

Every year at the EDPS, we celebrate Europe Day, the achievements and opportunities it made possible to Europeans. Honouring the legacy of those who advanced the European project is as important as looking ahead and listening to the generations that will shape its future. EDPS Supervisor has therefore asked them about how the EU has impacted their lives and what it means to be European today. 

Read on about what they had to say.

Brussels, 08 May - The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a letter, addressed to the European Commission, on the upcoming proposal on the simplification of record-keeping obligation under the GDPR, amounting to a targeted amendment of Art. 30(5) GDPR.

The joint letter replies to the letter sent by the European Commission to the EDPB and the EDPS on 6 May 2025 where the Commission explained how it intends to introduce specific modifications to the GDPR. The EDPB and EDPS understand that a formal consultation will take place after the publication of the proposed legislative change.  

The EDPB and EDPS shared that, at this stage, they could express preliminary support to this targeted simplification initiative, bearing in mind that this would not affect the obligation of controllers and processors to comply with other GDPR obligations. Nevertheless, the EDPB and EDPS asked the Commission to better evaluate the impact on the organisations subject to this change, to assess whether the draft proposal ensure a proportionate and fair balance between the protection of personal data and the interests of organisations with less than 500 employees.

EDPB-EDPS Letter on European Commission draft proposal on simplification of record-keeping under the GDPR

• Letters

• Controller
• Processor
• Record of processing