Simplifying GDPR – impact for the DPO?

On May 21, 2025, the European Commission published a proposal to amend the General Data Protection Regulation (GDPR). This proposal is part of an “Omnubus package” designed to simplify European regulations to increase the resilience of small and medium-sized organizations. The focus is on reducing administrative burdens resulting from over-regulation.

An important part of this simplification includes the register of processing activities. This register requires organizations to systematically document all processing of personal data. In the analysis below, we consider what impact the proposed changes may have on the work of the DPO.

The register of processing activities as established today

To reduce administrative burdens, the current GDPR text provides an exception to the obligation to maintain a register of processing activities for organizations with fewer than 250 employees. They are not required to establish a register unless at least one of the following three conditions is met:

• the processing is likely to present a risk to the rights and freedoms of data subjects;
• the processing is not incidental;
• the processing involves special categories of personal data (Article 9) or data relating to criminal convictions and offenses (Article 10).

Since it suffices that only one of these conditions applies to still make a register mandatory for all processing, this exception rarely appears to apply in practice. Although doubts remain when interpreting these rules as to whether there is no register requirement at all in these cases, or whether the register of processing activities in small organizations is limited to the set of processing operations listed in Article 30.5 (see EDPB FAQ on this and the Article 29 Working Party (WP29) publication ).

What does the Commission’s recent proposal say?

First, the Commission’s proposal seeks to ensure that medium-sized companies can also benefit from the intended relaxations. To this end, it proposes to introduce a definition of small mid-cap enterprises (SMCs): organizations with up to 750 employees.

It also proposes to relax the three conditions that currently determine whether a processing register is required. This adjustment will presumably reduce the need for a register in practice.

From now on, a register will only be mandatory for companies or organizations that

• employ 750 people or more or
• with fewer than 750 employees and
  • which carry out processing operations that present a ‘high risk to the rights and freedoms of natural persons’ (in practice: for which you have to carry out a DPIA pursuant to Article 35) with the exception of processing operations relating to labor law and social security and social protection law (9.2 (b))

In short: if you are an organization with fewer than 750 employees, you will soon only need to keep a register of processing activities if you carry out high-risk processing operations that are not related to legal processing operations for personnel management.

Note that the exemption applies to “companies or organizations. The question arises as to what is meant by the latter category. Are government agencies also organizations? From the context of the Omnibus package, we could argue that one only means organizations that have a commercial purpose.

Indeed, the Commission refers to definitions of “SME/SMC-enterprises,” which refers to organizations with an economic activity. Since we assume that in terms of administrative obligations, governments have few exclusions (see also further: the appointment criteria for a DPO), we assume in this article that governments are not covered by the exemption.

What does the DPO need a registry for?

An up-to-date and complete register of processing activities forms the basis for an effective supervisory task of the Data Protection Officer (DPO). With a properly completed register, the DPO can not only better inform about the applicable obligations, but also provide more focused advice and supervision.

Without a clear overview of what processing activities take place within the organization, the DPO lacks the necessary starting point to assess compliance with the rules of the AVG.

The register is therefore much more than an administrative obligation: it is a strategic tool that enables the DPO to identify risks, set priorities and carry out targeted checks.

The EDPB also emphasizes the importance of the registry in Guideline wp243. It explicitly states that the registry is an essential tool for the DPO to perform his or her supervisory duties. Although the creation and maintenance of the registry is not the DPO’s formal responsibility, it should be under his or her supervision. In this sense, the registry acts as a key tool for monitoring, advice and control.

What is the impact of the proposal on the work of the DPO?

The proposed simplification of the GDPR only indirectly affects the work of the Data Protection Officer (DPO). This is because the European Commission’s proposal does not change in any way the provisions surrounding the appointment or duties of the DPO as set forth in the GDPR today.

A possible indirect consequence arises when a DPO must be appointed in a context where there is no obligation to establish a register of processing activities. As explained earlier, that register is an essential tool for the DPO to properly perform his or her duties.

Can a DPO be appointed without a register requirement?

What does the GDPR text and the Commission’s new proposal say.

Article 37 of the GDPR stipulates in which cases a DPO must be appointed on a mandatory basis. Thus, a DPO is mandatory when the processing operations are carried out by a public authority. As indicated earlier, we assume in this article that governments are not covered by the intended exemption.

The other two cases in which a DPO must be appointed on a mandatory basis – namely, in cases of large-scale, systematic monitoring or in cases of large-scale processing of sensitive data (Articles 9 and 10) – almost always involve high risk.

As a result, if applicable, in practice the register obligation also remains in place regardless of the size of the organization. (Note: later we do discuss a specific exception in the proposal for processing in the context of an employment relationship).

Specific situations in Belgium and Flanders

In Belgium and Flanders, however, a specific situation may arise where a DPO must be appointed, while there is no obligation to register. This is the case of processors acting on behalf of government agencies. According to Flemish and federal regulations, these processors must, depending on the level, always or under certain conditions appoint a DPO:

• In Flanders: if an authority uses a processor, the appointment of a DPO with that processor is necessary
• In Belgium: processors for public authorities appoint a DPO if the processing of these data may represent a high risk

Thus, when such a processor is a private SME appointed by a Flemish institution, a DPO may be required, but the register obligation does not apply. After all, the SME’s processing operations are not necessarily high risk. In that case, the DPO must, if he so wishes, map the processing activities in an alternative way – or still via a voluntarily created register.

Article 9.2(b) exception

A second exception situation arises for organizations that exclusively perform high-risk processing in the context of human resources management, where special categories of personal data are processed under the exception of Article 9.2(b). In that case, the organization could be exempt from the register requirement, while the appointment of a DPO may still be mandatory.

However, these processing operations must be based on legislation, which allows the legislator to determine whether and under what conditions this scenario is possible. National regulations may impose additional obligations.

Voluntary appointment of a DPO

Finally, there is the situation where organizations voluntarily appoint a DPO, for example because they process a lot of personal data of staff, even though such appointment of a DPO is not required by law. In such cases, a register requirement may not apply. Based on the foregoing, it is strongly recommended that a register of processing activities be drawn up anyway. Indeed, without such a register, the work of the DPO may be considerably hampered.

Accountability obligation only for high-risk processing operations?

At first glance, then, there seems to be little impact of the proposed simplification on the work of the DPO, with a few exceptions in mind. However, the proposed simplification, whereby an administrative obligation, based on the number of employees, will apply only to high-risk processing operations, does give food for thought.

First, a common criticism is that the number of employees is not a measure of the risk that a processing operation may entail. Furthermore, one can note that a lot of administrative obligations (including the establishment of a register) in the GDPR can be seen as a due diligence measure that, when properly managed, automatically ensures protection for the data subject (in the case of the register providing a good overview of the processing operations).

The erosion of these best practices is seen by critics as an erosion of the right to data protection. Although proponents of this “loosening” will also argue that a legislator should only define the boundaries and not get involved in imposing best practices.

What has not yet been demonstrated is whether the intended relaxation will actually (i.e. in practice) relieve small and medium-sized companies. After all, one hears in the corridors that these organizations more often than not do not have the legally required register. Enforcing conformity requires not only rules, but also strict supervision.