In a joint publication dated Tuesday 8 July, the EDPB (European Data Protection Board) and the EDPS (European Data Protection Supervisor) give moderate support to the recent targeted reopening of the regulation on data protection (GDPR) by the Commission, in its simplification legislative package (see EUROPE 13645/2).
The two organisations explain that they approve of the targeted simplification initiative, but insist on the need to clarify definitions and justify each threshold or de facto measure, particularly the 750-employee threshold.
The two organisations are also asking the Commission to “amend” the text to refer directly to small and medium-sized enterprises (SMEs or ‘small midcaps’ up to 750 employees and €150 million in turnover) “in order to ensure consistency and avoid any ambiguity”.
“Large companies with high turnover, but which cannot be considered as SMEs or small mid-caps, could nevertheless benefit from the proposed derogation”, they point out.
With regard to the register-keeping derogation, except in the case of “high-risk” data processing (see EUROPE 13665/19), the two organisations want the Commission to “clarify” the assessment requirements to prevent an organisation from being exempted altogether, by assessing the processing risks “on a case-by-case basis” and not as a whole.
The ‘omnibus’ simplification legislation on small mid-caps, presented by the Commission on 21 May, exempts certain categories of European companies from the obligation to keep a register of personal data processing activities (see EUROPE 13645/2).
Link to the publication: https://aeur.eu/f/hup (Original version in French by Isalia Stieffatre)