Following the proposal to amend Regulation (EU) 2016/679 (“GDPR”) presented by the European Commission on 21 May 2025 (the “Proposal”), two significant initiatives were undertaken by the European data protection authorities.
On 2 July 2025, the European Data Protection Board (“EDPB”) adopted „The Helsinki Statement on enhanced clarity, support and engagement: a fundamental rights approach to innovation and competitiveness“ (the “Helsinki Statement”), a policy document setting out new initiatives aimed at facilitating GDPR compliance, improving dialogue with stakeholders, enhancing consistency and developing cooperation between different legal frameworks in the digital regulatory landscape.
On 8 July 2025, the EDPB and the European Data Protection Supervisor (“EDPS”) adopted Joint Opinion 01/2025 (the “Joint Opinion”), in which they generally welcomed the GDPR simplification Proposal, while emphasising the need to ensure that simplification measures remain proportionate, do not undermine the protection of fundamental rights, and are accompanied by an adequate risk assessment.
The Helsinki Statement
During the meeting held in Helsinki, the EDPB members first agreed on a set of initiatives aimed at simplifying compliance with GDPR obligations, with the goal of supporting micro, small, and medium-sized enterprises, promoting responsible innovation, and strengthening European competitiveness. The new tools will include the following:
- a set of “ready-to-use” templates for companies, based on the harmonisation of work already carried out at national level;
- a common EU-wide template for data breach notifications to Data Protection Authorities (“DPA”), with the aim of streamlining notification procedures and reducing the burden on businesses;
- direct and easy-to-use resources, including checklists, practical guides (so-called “how-to” guides), and FAQs to help companies understand their obligations.
With a view to strengthening dialogue with stakeholders and identifying areas requiring further clarification and support, the Helsinki Statement also provides for the possibility of reporting potential inconsistencies and providing feedback through public consultations, as well as for the preparation of accessible and practical guidance for micro, small, and medium-sized enterprises, in line with a risk-based approach.
The Helsinki Statement further emphasises the need to improve consistency in the application and enforcement of the GDPR by DPAs through a series of strategic actions, including:
- the collection of positions taken by DPAs on priority issues, as expressed in guidelines and national court decisions, to help businesses comply with such guidance;
- constant updates and follow-up on guidelines to ensure their effectiveness and consistent application;
- continued efforts to align national guidelines with those of the EDPB;
- greater harmonisation of enforcement activities through the development of shared practices, methodologies, tools, and actions;
- in the context of cross-border strategic issues, DPAs should give priority to developing common positions at European level to ensure consistency and harmonisation.
The Helsinki Statement also promotes the EDPB’s commitment to proactively collaborate with other regulatory authorities to support the evolving digital regulatory landscape. This includes preparing further joint guidelines, fostering structured cooperation to share experiences and address legal and practical challenges, as well as actively inviting other authorities to participate in EDPB meetings.
The Helsinki Statement forms part of the broader process of strengthening cooperation among authorities launched by the EDPB starting from 28 April 2022, with the adoption of the “Vienna Statement on Enforcement Cooperation,” expressly referred to in the Helsinki Statement itself, whereby the EDPB proposed intensifying cooperation on strategic cases and diversifying cooperation methodologies. In this context, the EDPB reaffirmed the importance of ensuring effective and timely application of the GDPR, inviting DPAs to collaborate in the joint identification of cross-border cases of strategic importance, in the definition of action plans, and in the promotion of effective and timely sharing of relevant information.
The Joint Opinion
The Joint Opinion focuses primarily on one of the most significant elements of the Proposal, relating to the rules on records of processing activities under Article 30(5) GDPR, which currently exempts organisations with fewer than 250 employees from the obligation to keep such records, unless the processing poses a risk to the rights and freedoms of data subjects, is not occasional, or involves special categories of data or personal data relating to criminal convictions. The Proposal would raise the threshold for this exemption to 750 employees, except in cases where the processing presents a high risk pursuant to Article 35 GDPR, for which the controller must carry out a data protection impact assessment (“DPIA”). For further information on the Proposal’s developments, please refer to the contribution of LEXIA’s Data & Technology Innovation team, available here.
The EDPB and the EDPS express support for this simplification, while emphasising the importance of ensuring that simplification measures remain proportionate, do not compromise the protection of fundamental rights, and are accompanied by an adequate risk assessment. On the one hand, the Joint Opinion considers that the proposed amendments to the GDPR are targeted and limited, without undermining the fundamental principles and other obligations of the GDPR. On the other hand, the EDPB and EDPS express concern that the Proposal does not include an assessment of the impact on fundamental rights.
A key point of the Joint Opinion concerns the removal of the condition requiring records to be kept in cases of processing of special categories of data (Article 9 GDPR) or personal data relating to criminal convictions (Article 10 GDPR), as set out in the current wording of Article 30(5) GDPR. In particular, Recital 10 of the Proposal states that the processing of special categories of personal data for the purposes referred to in Article 9(2)(b) GDPR (e.g., obligations in the field of employment and social security law) would not trigger the record-keeping obligation. The EDPB and EDPS reaffirm that the processing of such data must nonetheless be taken into account when assessing whether a processing activity presents a high risk and therefore requires a DPIA under Article 35 GDPR. In this regard, the Joint Opinion suggests clarifying in the Recitals that the processing of special categories of personal data for the purposes referred to in Article 9(2)(b) GDPR should not, in itself, require record-keeping unless an assessment identifies a high risk.
The Joint Opinion highlights the importance of records of processing activities not only as a tool to demonstrate compliance retrospectively, but also as a useful instrument to support compliance with various GDPR requirements. Records help controllers obtain a comprehensive overview of their processing activities, identify a legitimate legal basis, give effect to data subjects’ rights (such as the right of access), assess risks, and determine whether a DPIA is required. Records are also essential tools for Data Protection Officers (DPOs), to determine the controller’s main establishment, and to assess appropriate security measures. The Joint Opinion also reiterates that the exemption from the record-keeping obligation should not be interpreted as a general exemption from all GDPR obligations.
The Joint Opinion further recommends clarifying in a Recital that the term “organisation” in the proposed amendment to Article 30(5) GDPR does not include public authorities and bodies, which, by their nature and specific responsibilities under the GDPR, should remain subject to the record-keeping obligation regardless of their size.
Finally, the EDPB and EDPS welcome the extension of the scope of Articles 40(1) and 42(1) GDPR to small mid-cap enterprises (SMC), ensuring that their specific needs are taken into account in the drafting of codes of conduct and the establishment of certification mechanisms.
The actions of the EDPB with the Helsinki Statement and the Joint Opinion with the EDPS, in the context of the GDPR simplification Proposal put forward by the European Commission, reflect an active commitment by European authorities to make GDPR compliance increasingly clear and accessible for businesses, contributing to the reduction of excessive administrative burdens.
