Opinion: EU Letter Hints at Potential Major Shift in GDPR Record-Keeping Obligations

The European Commission is preparing a proposal to simplify GDPR record-keeping obligations, specifically those related to the Record of Processing Activities (ROPA). This was recently hinted at in a joint letter from the EDPB and EDPS dated 8 May 2025. While the proposal has not yet been published and nothing is final, the letter provides a clear indication of what may be included.

In my view, the most significant part of the proposal is the suggested removal of the “occasional processing” condition in Article 30(5) GDPR. Today, organisations with fewer than 250 employees are exempt from maintaining a ROPA only if their data processing is occasional. In practice, this means that most organisations are still required to maintain a full ROPA, since many regular business operations are not considered occasional.

Maintaining a ROPA is a substantial compliance task, as it involves documenting all processing activities, their purposes, the categories of data and recipients, retention periods and security measures. Removing the occasionality condition would give real effect to the exemption and reduce the administrative burden, especially for smaller organisations.

Another part of the proposal would also change the threshold for when a ROPA is required. Instead of applying when the processing is likely to result in a risk to individuals, the exemption would only be unavailable if the processing is likely to result in a high risk. This would narrow the scope of the obligation and better align it with the overall risk-based approach of the GDPR.

The Commission is also considering extending the exemption to companies with up to 500 employees and certain non-profits. However, it is the change to the occasional processing rule, combined with the clearer risk threshold, that would likely have the greatest practical impact.

Although the proposal is still under discussion, these early signs suggest a shift towards a more proportionate and workable GDPR record-keeping framework that could benefit many organisations without weakening fundamental protections.

Click here to read the letter.

See All News Here

Related News

Swedish Supreme Court Adds Nuance to Previous Ruling on Bulk Requests for Court Judgments and Decisions

NIS2 and the Swedish Regulation Jungle

EU Commission Proposes Tech Sovereignty Package with New Rules for Chips, Cloud Services and AI infrastructure