---

EU data bodies back proposed GDPR change

The two main European data bodies have welcomed proposals from the European Commission to change the GDPR to make compliance easier for small businesses.

The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have, however, asked for clarification on some aspects of the plan.

Earlier this year, as part of a package of measures aimed at cutting the costs of complying with EU rules, the commission announced plans to amend article 30 of the GDPR.

Under the change, obligations to keep records for GDPR purposes would be eased for companies with fewer than 750 employees, who will be required to maintain records only when the processing of personal data is ‘high risk’ under the GDPR.

Compliance exemptions

The commission also proposed an extension of certain compliance exemptions currently available to small and medium-sized enterprises (SMEs) to a new category: small mid-cap enterprises (SMCs).

In a joint opinion, the two watchdogs supported the proposal’s general objective to reduce the administrative burden for SMEs and SMCs.

They added, however, that they expected “further clarifications” on why the new threshold of enterprises or organisations employing fewer than 750 persons would be more appropriate under the GDPR, rather than the threshold of 500 employees initially considered.

Public authorities

They also noted that the article 30 exemption referred to ‘enterprises employing fewer than 750 employees’ without mentioning the newly introduced definitions of SME and SMC, which also include financial criteria.

“In order to ensure that the exemption will benefit SMEs and SMCs, the EDPB and the EDPS’s joint opinion recommends referring to the newly introduced definitions of SME and SMC,” they stated.

The EDPB and EDPS also asked the EU Council and European Parliament to clarify that the term ‘organisation’ under the proposed derogation did not include public authorities and bodies.