ARTICLE
2 July 2025

GDPR Simplification – What Is Changing?

HS
Hannes Snellman Attorneys Ltd

Contributor

Hannes Snellman is a leading Finnish business law firm entrusted by its clients in matters of critical importance. Our mission is to provide our clients with world-class advice and our people with world-class careers. What sets us apart is our deep commitment to achieving our clients’ goals. With our industry knowledge and business understanding, we provide simple yet effective advice and fresh perspectives, even in the most complex and demanding situations. We focus on what matters the most.

On 21 May 2025, the European Commission published a proposal for a regulation that would amend the General Data Protection Regulation ("GDPR").
Finland Privacy

On 21 May 2025, the European Commission published a proposal for a regulation that would amend the General Data Protection Regulation ("GDPR"). The proposal is part of the Commission's Fourth Omnibus Package and a first step towards simplifying the GDPR.

Key Changes to the GDPR

The most notable change is proposed to Article 30(5) of the GDPR. The Commission is proposing an exemption to small and mid-sized companies employing less than 750 people from the record-keeping obligation (also known as "ROPA"). The proposal raises the employee threshold from the current 250 to 750 employees, and the record-keeping is no longer dependent on whether processing is "occasional".

In practice, SMEs are only subject to mandatory record-keeping if they are carrying out processing that is likely to pose a "high risk". High risk is assessed in line with the existing Article 35 of the GDPR.

Further, the proposal clarifies the record-keeping obligation in an employment context (Art.9(2)(b) GDPR). The processing of special categories of personal data in an employment context (e.g. employees' health data) does not automatically trigger the record-keeping obligation.

Next, the proposal will proceed through the EU legislative approval process, with a view to taking effect in 2026.

Other Simplifications in the Field of Data Regulations

The proposal is closely linked to the competitiveness report published in 2024 by Mario Draghi, which draws attention to the need to simplify EU rules.

What have we seen so far and what lies ahead?

  • In February 2025, the Commission decided to withdraw the AI Liability Directive Proposal and ePrivacy Regulation Proposal.
  • In May 2025, the Commission introduced small simplifications to the GDPR (as explained above).
  • Later in 2025, the Commission is expected to also simplify cybersecurity reporting requirements and even the AI Act. It remains to be seen whether additional GDPR changes will also be introduced as the Commission has identified other improvement areas in the GDPR.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More