On May 21, 2025, the European Commission presented a draft regulation aimed at simplifying certain GDPR obligations for medium-sized businesses. This is not a good signal to the market, as our partner Alan Walter explains in this LJA article.
In an effort to reduce administrative costs for businesses, the European Commission intends to exempt SMEs (i.e., those with fewer than 750 employees and a turnover of €15 million) from certain obligations under the General Data Protection Regulation, such as the requirement to keep a record of processing activities. Interviewed on this subject, Alan Walter expressed serious reservations about the merits of such measures.
“The real issue isn’t so much the number of employees, but the level of risk generated by data processing,” he explains. “The material criterion is important. If a company’s main activity is focused on processing personal data, then we can deduce that the level of risk is higher. But today, who is able to concretely define this risk?”
Alan continues: “The processing activity register has a fundamental interest: it requires self-assessment and self-criticism, which must nevertheless be carried out regularly. It is a valuable compliance tool that I always recommend to my clients, even when it is not a requirement.”
Read the full article published by the LJA (subscription required).
