XpertDPO submission for Implementation Dialogue on the application of the General Data Protection Regulation

Please see written contributions below on the requested topics: 

1. Further simplification/reduction of administrative burden 

(a) What are your views on possible further simplification of the GDPR, going beyond the recent Commission’s proposal to simplify the record keeping obligations? 

While we support efforts to ease the administrative burden on organisations, we do not believe that further simplification of the General Data Protection Regulation (GDPR) itself is the appropriate route. The text of the Regulation provides a robust and flexible framework for data protection across the Union. The key challenge lies not in the complexity of the law per se, but in its practical implementation by data controllers and processors of varying sizes and resources. Meaningful simplification should focus on practice, not principle. This could be achieved through the provision of standardised, practical tools and implementable guidance at EU level.  

While the GDPR is designed to be scalable, in practice smaller organisations and public bodies often struggle with resource constraints. Practical simplification efforts should be targeted at making compliance achievable for these groups without compromising the rights of individuals. Toolkits designed specifically for these organisations such as model RoPAs, sample DPIA templates, or pre-assessed processing scenarios could provide substantial relief. For example, providing a master RoPA template, endorsed by the EDPB, with common entries for high-risk areas (e.g. HR, marketing, finance) would be a major step forward. These could be expanded upon where necessary but would offer a clear and accessible starting point for all organisations — particularly SMEs. Similarly, organisations would benefit greatly from harmonised EU-level guidance on the use of threshold assessments as a preliminary step to determine whether a full DPIA is required and standardised templates for both risk assessments. Clear, consistent, and accessible interpretation of these processes would significantly reduce uncertainty and improve compliance, particularly among SMEs and public bodies. 

We strongly disagree with the suggestion that reducing the scope of the Record of Processing Activities (RoPA) obligations would meaningfully simplify compliance. On the contrary, the RoPA serves as a foundational accountability and compliance instrument. It is an essential resource for understanding and managing data flows, enabling organisations to respond effectively to data subject access requests, security incidents, and audits. Without it, organisations risk operating without a clear overview of what personal data they hold, where it resides, to whom it pertains, and with whom it is shared — ultimately increasing, not reducing, the administrative burden when issues arise. 

Rather than removing or limiting RoPA obligations, as proposed, we believe there is a need to support their fulfilment through structured templates, training, and sector-specific guidance. Cutting RoPA requirements would ultimately backfire; organisations that lack a comprehensive understanding of what data they hold, where it resides, and how it is processed are less equipped to manage DSARs, breaches, and DPIAs. This would increase, not decrease, administrative burden in the long run. 

We also caution against any approach that determines RoPA obligations based on organisational size or staff numbers. Such a threshold is not reflective of actual data protection risk and runs counter to the GDPR’s fundamental principle of a risk-based approach. A small organisation may process highly sensitive or large volumes of personal data, while a larger organisation may carry out limited low-risk processing. Compliance requirements should be based on the nature, context, and scope of processing — not arbitrary metrics.  

While the proposed amendment maintains the obligation to maintain a RoPA where processing is likely to result in a high risk, this threshold is inherently subjective unless accompanied by clear, authoritative guidance and may lead to divergent interpretations by controllers and supervisory authorities thereby increasing the potential for confusion and inconsistent application.

A RoPA is essential for making informed, risk-based compliance decisions. Without it, a DPO cannot assess processing risks or recommend appropriate technical and organisational measures (TOMs). It also underpins the practical implementation of other key requirements, such as data minimisation, storage limitation, and security. 

Clarity is also needed on how any proposed simplification of record-keeping obligations would impact the role of Article 27 EU Representatives, given that maintaining access to the RoPA is one of their core legal responsibilities under the GDPR. Without a RoPA, the EU Representative role is hollow, as they lack a foundational tool to respond to data subject inquiries or regulator requests. This raises questions about whether that function will remain fit for purpose.  

The solution is not to strip back core accountability tools, but to make them easier to implement. Practicality, not deregulation, should be the goal. With appropriate templates, guidance, and training, even smaller organisations can maintain a RoPA and carry out meaningful DPIAs — both of which are critical to embedding risk awareness and sustainable compliance across the EU digital ecosystem. 

(b) Which targeted amendments would potentially appear useful to reduce administrative burden of controllers and processors, while maintaining the GDPR’s risk-based approach and ensuring the high level of data protection? 

As stated in our response to question (a), the path to reducing administrative burden lies not in undermining key compliance mechanisms, but in identifying practical and proportionate adjustments. A clear example of this is the significant burden posed by the growing misuse of data subject access requests (DSARs). While we fully recognise the importance of the right of access as a core pillar of data protection law, it is increasingly evident that the mechanism is being misused by some individuals in ways that diverge from its original intent. Organisations are often required to expend considerable time and resources in responding to access requests that are not driven by a genuine desire to understand or verify the use of one’s personal data, but rather serve as a means to harass, disrupt, or apply pressure.  

To address this, we recommend a targeted amendment to Article 12 or Article 15 of the GDPR to introduce a clearer and more practical exemption for manifestly vexatious or abusive DSARs. Article 12(5) GDPR currently provides for the refusal of requests that are “manifestly unfounded or excessive.” However, the interpretation of this provision remains uncertain and inconsistently applied across Member States. Interpretation remains open-ended and is largely determined by context, case law, and regulator guidance — all of which lack legal certainty and consistency. 

The addition of a clear exemption for vexatious requests would help reduce the disproportionate administrative burden that comes with these requests in the absence of any genuine data protection benefit. The UK FOIA provides a well-developed and regulator-tested framework for identifying and managing vexatious requests. A similar structured approach — including a non-exhaustive set of indicators and regulator oversight — could be adapted to data protection, offering clarity for organisations while preserving individuals’ rights through meaningful recourse mechanisms.  The UK’s Information Commissioner’s Office (ICO) has developed extensive guidance on how to identify such requests, taking into account factors such as the burden on the organisation, repetitiveness, intent to disrupt, or absence of serious purpose. This approach recognises that upholding fundamental rights must also be balanced against the need to protect organisations from malicious or obstructive behaviours that undermine effective governance. 

Importantly, any such exemption must be paired with a recourse mechanism for data subjects, ensuring that if a request is refused, the individual retains the right to complain to the competent supervisory authority. The authority should then have the power to review the decision and, where appropriate, compel the organisation to comply. This maintains a high level of data protection while guarding against abuse of the system. 

It is essential to underscore that compelling organisations to process vexatious or abusive access requests does not enhance compliance or improve data protection practices. Instead, it diverts valuable resources from genuine data governance activities and can undermine the overall efficacy of an organisation’s privacy programme. 

A comparable, well-defined framework under the GDPR for managing abusive or vexatious data subject access requests would provide much-needed clarity and consistency for data controllers, reduce administrative overhead, and enhance the practical effectiveness of data protection compliance — without undermining the rights of genuine data subjects. We believe this is a proportionate and targeted solution that respects the principle of accountability while aligning with the Regulation’s risk-based approach. 

2. Increasing legal certainty, reducing fragmentation, and further harmonising enforcement 

(a) What are the measures you would consider useful to increase legal certainty, to reduce the fragmentation in the application of the GDPR, and to further harmonise its enforcement? 

A critical measure for increasing legal certainty and reducing fragmentation would be to provide greater clarity and interpretive consistency on provisions that are currently open-ended, such as the treatment of “manifestly unfounded or excessive” requests under Article 12(5) GDPR. As noted in our response to the previous question, the lack of precise, harmonised guidance on when a data subject access request (DSAR) may be considered manifestly unfounded and excessive and how this could encompass abusive or vexatious requests is left open to interpretation by controllers and national supervisory authorities and results in divergent practices across Member States. Some supervisory authorities interpret these provisions narrowly, obliging controllers to respond to requests even in clearly disruptive circumstances, while others apply more practical thresholds. 

This inconsistency creates uncertainty for organisations operating in multiple jurisdictions and undermines the Regulation’s foundational principle of legal predictability. It also dilutes the effectiveness of the GDPR’s risk-based approach, by forcing organisations to expend resources responding to requests that do not meaningfully advance data protection objectives. 

To address this, we strongly recommend that the European Data Protection Board (EDPB), in cooperation with national supervisory authorities, develop and adopt practical guidance on the application of Article 12(5), including illustrative criteria for identifying vexatious, excessive, or manifestly unfounded requests, as well as a model response protocol for handling and documenting such DSAR refusals. This would assist controllers and streamline regulatory oversight. 

More broadly, the EDPB should coordinate the development of harmonised operational tools, including: 

• Baseline RoPA templates applicable across sectors and risk levels, which could be tailored by industry associations; 
• DPIA templates and threshold assessment frameworks that reflect common criteria for risk evaluation; 
• Sector-specific guidance developed in collaboration with industry, regulators, and civil society. 

In addition, we support further expansion of the Consistency Mechanism under Chapter VII of the GDPR, not only for high-profile cross-border cases but also for interpretive matters that have wide operational impact. Increased use of joint EDPB initiatives, including binding guidelines where appropriate, would mitigate fragmentation and help ensure that enforcement is applied evenly, fairly, and predictably across the Union. 

Finally, it is essential that resourcing of supervisory authorities be addressed at the EU level. Disparities in enforcement capacity and expertise between Member States perpetuate fragmented outcomes. Dedicated EU funding or coordination mechanisms could help elevate baseline regulatory capability and foster greater alignment. 

Legal certainty and harmonised enforcement will only be achieved through a shared commitment to practical convergence — not only through the letter of the law, but through common operational standards, interpretive unity, and cooperative oversight. 

3. Facilitating compliance with GDPR  

(a) What are your views on the various tools under the GDPR, e.g codes of conduct and certification, that could be exploited to facilitate compliance with the GDPR 

Codes of conduct and certification mechanisms have strong potential to support structured, risk-based compliance with the GDPR. However, their use remains limited due to procedural barriers and a lack of clear, practical guidance. 

Codes of conduct, in particular, offer a valuable framework for promoting ongoing best practice, accountability, and sector-specific governance.  A master code of conduct developed at EU level — and adapted by industry associations for specific sectors — could provide a harmonised baseline, reduce fragmentation, and ensure more consistent uptake across Member States. This should be accompanied by regulatory guidance on drafting and implementing sectoral codes, with flexibility to accommodate different organisational sizes and risk profiles. 

We believe the approach to codes of conduct should be simplified and made more scalable, following a model of graduated self-governance, similar to what is already seen under frameworks like the NIS2 Directive. In that model, organisations are responsible for ensuring compliance through internal governance structures, with external scrutiny only triggered in the event of a breach or incident. 

Another option is to introduce a tiered model that distinguishes between self-attested codes — where organisations align with a sectoral code and maintain internal records of adherence. These would operate on a trust-and-monitor basis, where compliance is presumed unless breached — and verified codes that are subject to external certification or audit, potentially through a designated monitoring body or independent assessor, for organisations that wish to obtain formal assurance or demonstrate enhanced compliance. This model would allow flexibility and encourage broader participation while maintaining enforceability where needed.  

While we acknowledge the intent behind the GDPR certification mechanism and recognise the potential value of certifications in sectors like cloud providers, we do not believe that a general GDPR certification offers significant value to most organisations or to the public. In practice, GDPR certifications are not widely understood or recognised by the public, and their relevance in day-to-day compliance decision-making is limited. In our experience, codes of conduct provide greater real-world utility, particularly because they can be tailored to the specific operational realities of different sectors and encourage continuous best practice. Sectoral codes allow for the development of practical, meaningful standards that reflect the nuanced challenges faced by different industries, and as such, offer a more accessible and impactful route to promoting sustained, risk-based compliance. 

(b) What challenges have you faced in relation to the use of such tools and what solutions would you propose to address these challenges? 

The primary challenges with both codes of conduct and certification mechanisms are procedural complexity, limited accessibility, and unclear practical benefits — particularly for smaller organisations. 

For codes of conduct, the requirement to designate a code owner, a monitoring body (unless public sector), and go through a formal approval process is overly onerous. Sector associations often lack the resources or expertise to navigate these requirements, which discourages participation. Furthermore, the absence of clear EU-level templates or examples has led to confusion and inconsistent implementation. 

To address this, we propose: 

• A graduated model (self-attested vs. verified codes) to encourage wider adoption; 
• An EU-endorsed master code with sector-specific adaptations; 
• EU-level guidelines for development and implementation, including the role of industry bodies and DPOs; 
• The ability for organisations to self-monitor, with regulatory oversight triggered only in case of breach or complaint. 

In terms of GDPR certification, there is limited visibility into how certification translates into regulatory benefit. Certification is viewed as inaccessible to many organisations and offering unclear value beyond reputational optics. Compounding this is the lack of public awareness or understanding of what certification signifies. For most individuals, GDPR certification does not meaningfully influence trust or decision-making, as the schemes are not widely recognised or communicated in an accessible way. 

To improve the effectiveness and uptake of certification mechanisms, there should be greater clarity on their regulatory relevance — for example, whether certified status may be considered a mitigating factor in enforcement or an indicator of accountability. In parallel, increasing public visibility and trust in certification could be achieved through centralised EU-endorsed registers, public education campaigns, and standardised trust marks that clearly signal what certification entails. Without these efforts, certification risks remaining a symbolic or siloed exercise rather than a practical compliance tool. 

4. Clarifying the articulation with other digital legislation 

(a) Is there a need to further clarify the interplay of the GDPR with other EU digital legislation? 

Yes, we believe there is a need for clearer communication and guidance on how the GDPR interacts with other EU digital legislation — particularly to dispel concerns and perceived complexity among smaller organisations. 

In practice, the interplay between the GDPR and instruments such as the AI Act, Data Act, and Digital Services Act will have the greatest operational impact on larger enterprises and high-risk sectors. However, among SMEs and public sector bodies, there is a growing perception that the expanding digital regulatory framework will significantly increase their compliance burden, even where their obligations under other laws may be limited or indirect. 

This perception of complexity can be as damaging as actual regulatory overlap. It may deter organisations from engaging confidently with compliance requirements, particularly where they lack the legal or technical capacity to interpret how multiple frameworks interact. Many simply want to know: “Does this change what I need to do under GDPR?” 

To address this, we recommend the European Commission and EDPB provide: 

• Clear, accessible guidance on how emerging digital legislation intersects with the GDPR; 
• Side-by-side comparisons or visual mapping tools showing areas of overlap, complementarity, or separation; 
• Practical case studies to illustrate typical compliance responsibilities by sector or organisation type. 

This would help reduce unnecessary apprehension, support proportionate implementation, and allow organisations — especially SMEs — to focus on the obligations that actually apply to them. Strengthening understanding, rather than adding layers of regulation, is key to supporting sustainable data governance across all sectors. 

(b) Can you provide some specific examples of provisions for which the interplay of the GDPR and other digital legislation has appeared to be challenging? 

The interplay between the GDPR and the ePrivacy Directive has been complex due to overlapping scopes, inconsistent enforcement, and fragmented implementation across the EU. While the GDPR provides a unified framework for personal data protection, the ePrivacy Directive governs specific areas like cookies and electronic communications, often requiring stricter consent standards. This has created confusion, particularly around the legal basis for processing, e.g. where the GDPR allows legitimate interest, the ePrivacy Directive may demand explicit consent. The standard for obtaining valid consent evolved with the introduction of the GDPR, requiring consent to be freely given, specific, informed, and unambiguous. This higher standard conflicted with earlier interpretations under the ePrivacy Directive, leading to uncertainty about what constitutes valid consent in contexts like cookie usage and electronic marketing. 

Enforcement also differs as the GDPR relies on centralised data protection authorities, while the ePrivacy Directive may involve multiple regulators per Member State, leading to fragmented oversight. As a directive, ePrivacy has been implemented differently across Member States, adding further complexity for cross-border organisations. Although the EDPB has issued opinions on the interplay, practical guidance remains limited, reinforcing the need for harmonisation and clearer communication. 

Similar issues are foreseen in the interplay between the GDPR and the AI Act. For example, biometric data is defined differently under both laws and they regulate biometric data in different ways, which creates confusion for organisations attempting to comply with both frameworks. Under the GDPR, biometric data is treated as a special category only when it is used to uniquely identify an individual, triggering stricter processing conditions. In contrast, the AI Act focuses on the use of biometric systems themselves, particularly real-time identification and surveillance, which are classified as high-risk or even prohibited in certain contexts. This difference in focus — one on the nature of the data, the other on its use — leads to uncertainty about which obligations apply in practice and whether both frameworks must be followed concurrently. Greater clarity is needed to reconcile these definitions and provide consistent guidance for organisations developing or using biometric technologies. 

These examples reinforce the need for structured, accessible comparative materials and a focus on inter-regulatory coherence. As the digital legislative landscape continues to evolve, ensuring that GDPR remains the anchor point — while clearly articulating how it connects with other instruments — will be critical for sustained, effective compliance.