GDPR Revision: Is the Record-Keeping Obligation Changing ?

The European Commission put forward a simplification proposal in the General Data Protection Regulation (GDPR), aimed at reducing the burden on small and medium-sized enterprises. This draft amendment seeks to expand the scope of the record-keeping obligation exemption, provided in GDPR’s Article 30(5) and to redefine certain conditions related to the exemption. The said proposal (the Draft GDPR) was jointly evaluated by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) on 8 May 2025.

Key proposed amendments:

• Expansion of the exemption’s scope: The record-keeping obligation exemption under GDPR’s Article 30(5), currently benefiting only undertakings with fewer than 250 employees, will be expanded to cover small and medium-sized companies (SMEs) with fewer than 500 employees that do not exceed a certain annual turnover, as well as non-profit organisations with fewer than 500 employees.
• Redefinition of the risk criterion: Instead of the phrase stating “processing likely to result in a risk” found in GDPR’s Article 30(5), the phrase stating “processing likely to result in a high risk to the rights and freedoms of natural persons,” which is a narrower concept, will be introduced. Consequently, only high-risk processing operations will be subject to the record-keeping obligation.
• Removal of certain conditions: The removal of the condition requiring “occasional processing” and the phrase related to the processing of special categories of personal data, is proposed.
• Exemption for processing special data for legal obligations: It is proposed to provide an exemption from the record-keeping obligation under GDPR’s Article 30(5) for the processing of special categories of personal data carried out for the purpose of compliance with legal obligations in the field of employment law, social security, or social protection as provided for under GDPR’s Article 9(2)(b).

Draft GDPR exclusively targets SMEs that meet specific criteria. Large-scale organisations or data processing activities involving high risk will not be able to benefit from these exemptions. The Commission emphasizes that the proposal is underpinned by a risk-based approach.

The EDPB and EDPS emphasize the necessity of preserving the record-keeping obligation, particularly for high-risk data processing activities. In this regard, they state that the “high risk” criteria outlined in Data Protection Impact Assessment (DPIA) guidelines will serve as the basis. Furthermore, considering that even micro-enterprises may undertake high-risk processing activities, the importance of adopting a risk-based approach is stressed. They underline that the simplification initiative must ensure a fair and proportionate balance between the protection of personal data and the operational burdens of organisations. Therefore, it is recommended that the Commission conduct a comprehensive impact assessment regarding the number of companies that will benefit from the draft amendment and the practical implications of the regulation.

The formal consultation process regarding the said draft amendment is expected to be initiated, in accordance with GDPR’s Article 42(2), following the publication of the draft legislation. The amendments are foreseen to affect not only Article 30(5) but also Articles 40(1), 42(1), and 42(2). This proposal is considered as the first step towards a risk-oriented GDPR approach, and if adopted, it may lead to similar simplification efforts may also be considered in other areas such as information obligations (Articles 13–14), the accountability principle (Article 24), DPIA (Article 35), contracts with processors (Article 28), and breach notifications (Article 33). While similar amendments aimed at aligning the Law on Protection of Personal Data No. 6698 (KVKK) with the GDPR might be anticipated in the Strategy Report and other reports, it will be significant whether these changes will affect the KVKK as a consequence of Turkey’s position vis-à-vis the European Union.