Extending the exemption from the obligation to keep a record of processing activities to organisations with fewer than 750 employees: this is the Commission’s proposal on which the EDPB and the EDPS pronounced in Joint Opinion 01/2025. Favour for the lightening, but with a warning: the register is not just an obligation, it is a compliance tool. What SMEs need to know, and why getting rid of the ROPA could be a mistake.
In the European simplification construction site, one of the first pieces concerned the record of processing activities (ROPA) under Article 30 of the GDPR. With its proposal of 21 May 2025 on simplification measures for SMEs and small mid-caps, the Commission proposed to amend Article 30(5), extending the exemption from the register obligation to enterprises and organisations with fewer than 750 employees, unless the processing is likely to result in a high risk to data subjects’ rights and freedoms. On this proposal the EDPB and the EDPS pronounced in Joint Opinion 01/2025, adopted on 8 July 2025.
The authorities’ position: conditional favour
The overall judgment is one of openness: “the EDPB and the EDPS support the general objective of the Proposal to reduce the administrative burden for SMEs and SMCs as long as pursuing this objective does not result in lowering the protection of fundamental rights of individuals”. Appreciated, in particular, is the surgical nature of the intervention: “the EDPB and the EDPS welcome […] that the proposed modifications to the GDPR to simplify and clarify the obligation to keep a record of processing are targeted and limited in nature and do not affect the core principles and other obligations under the GDPR”. Simplification, in other words, is acceptable because it touches a documentary obligation, not the principles: lawfulness, minimisation, security and accountability remain intact, for all.
The warning: the register is useful, even when not mandatory
The most useful passage for practice is, however, another. The authorities recall that “in addition to facilitating ex-post compliance demonstration, records of processing activities constitute a very useful means to support compliance with several GDPR requirements”. This is crucial for SMEs: any exemption from the obligation does not make the register useless. The ROPA is, in practice, the backbone of the whole compliance framework: without a mapping of processing operations one cannot draft a complete privacy notice, assess the need for a DPIA, manage a data breach within the deadlines, fully respond to a rights request or — on the most recent fronts — take stock of the processing connected to AI systems. Giving up the register because it is no longer due would mean, for many organisations, giving up the tool with which they demonstrate everything else. It should also be recalled that the proposed exemption is conditional: where processing is likely to present a high risk, the obligation remains regardless of the size threshold.
The moving picture
The SME proposal is not an isolated episode: it fits into the broader Digital Omnibus season, on whose GDPR part the same authorities pronounced with Joint Opinion 2/2026 of 10 February 2026, welcoming the simplifications on data breaches and DPIAs and firmly rejecting the amendment of the definition of personal data. The method that emerges is constant: yes to reducing documentary burdens, no to any intervention that reduces the perimeter or level of protection. For an SME’s DPO, the operational advice is therefore twofold: follow the legislative process to know the final shape of Article 30(5); and, meanwhile, dismantle nothing — if anything, rationalise the existing register, which remains the most efficient snapshot of the organisation’s processing.
Conclusions
The ROPA affair is emblematic of the relationship between simplification and accountability: one can lighten the obligation, not the need. The register is born as a tool of awareness before compliance, and awareness of one’s own processing is not a bureaucratic luxury: it is the precondition of every defensible choice in matters of data. In the light of the above, one wonders whether exempted organisations will distinguish between what is no longer due and what remains necessary, seizing the simplification without losing the map of their own processing, so that documentary lightening does not turn into a substantive rollback of protection.
