GDPR pros want less paperwork, not fewer rights

A survey of 510 information safety officers printed right this moment by noyb – European Centre for Digital Rights reveals a pointy disconnect between the European Fee’s Digital Omnibus proposals and what privateness professionals working inside corporations say would truly cut back their compliance burden. The findings, drawn from responses collected between July 3 and July 14, 2025, problem the Fee’s acknowledged rationale for a number of the most contentious parts of its GDPR reform package deal.

The Vienna-based non-profit, which has filed round 800 enforcement instances towards corporations together with Google, Apple, Fb and Amazon since its founding, distributed the survey by means of its social media accounts and the GDPRtoday e-newsletter, which reaches greater than 13,000 enterprise subscribers. Responses have been collected from DPOs, information safety managers, attorneys and consultants throughout the EU and EEA. After filtering out incomplete responses – these answering fewer than 75% of questions – and members working in corporations not topic to the GDPR, 510 legitimate responses remained from professionals spanning 28 jurisdictions.

The geographic unfold was uneven. Eire, Denmark and Germany have been over-represented; Italy, Spain and Poland under-represented. Half of all respondents labored for organisations with 500 or extra workers – a skew noyb acknowledges makes the pattern unrepresentative of the general controller inhabitants, which consists largely of small and medium enterprises. Regardless of that limitation, the organisation argues the outcomes supply a helpful proof base for the talk sparked by the Digital Omnibus, which the Fee published in early 2026 after years of strain from business teams and member states together with Germany.

The Fee’s targets are usually not the professionals’ ache factors

The central discovering is simple: the articles the Fee proposes to limit are usually not, by and huge, those producing essentially the most work for folks on the bottom.

Information topic rights beneath Articles 15 to 21 ranked comparably low in workload throughout the survey. Greater than 70% of respondents stated the Proper of Entry beneath Article 15 generates solely “some,” “little,” or no work in any respect. On the identical time, the identical professionals rated it as one of many extra helpful devices for safeguarding people. The hole between that evaluation and the Fee’s proposal to limit Article 15 is hanging. In keeping with noyb, this is sensible in observe: most controllers hardly ever obtain topic entry requests, whereas the organisations that do – giant expertise platforms, information brokers, credit score reference companies – have usually automated their SAR processes to deal with quantity effectively.

The Fee has individually proposed to restrict Article 22, which covers automated decision-making. In keeping with the survey, that provision additionally ranked exceptionally low in workload phrases, with most controllers reporting they don’t interact in automated decision-making in any kind that may set off the article’s necessities.

What does generate workload? Information of processing actions beneath Article 30 topped the listing. Information safety affect assessments beneath Article 35 ranked second. Safety obligations beneath Article 32 and processor monitoring obligations beneath Articles 28 and 29 have been additionally excessive. These are the areas the place professionals spend essentially the most time. But the Fee’s omnibus package deal addresses most of them solely on the margins. The proposal to boost the worker threshold for the Article 30(5) exemption from record-keeping from 250 to 750 employees is unlikely to have significant affect, in response to noyb, as a result of 43% of pros working at corporations with fewer than 250 workers already preserve ROPAs voluntarily.

Max Schrems, Chairperson of noyb, described the hole in blunt phrases. “This examine exhibits an infinite hole between the wants of actual folks engaged on compliance daily and the issues pushed by the ‘Brussels foyer bubble’. We aren’t serving to regular EU enterprise right here – the Fee proposal typically even cuts into what professionals see as helpful.”

Article 28 and the tens of millions of contracts nobody reads

One space the place the survey does discover substantial urge for food for reform is processor contracts ruled by Article 28(3) GDPR. With roughly 30 million EU companies every managing a number of information processing relationships, the full variety of such contracts in circulation doubtless exceeds 100 million. Each certainly one of them is required by legislation to include the identical normal parts, producing what noyb describes as an industrial-scale copy-and-paste train.

The underlying rationale for this requirement is essentially historic. Article 28(3) traces its construction again to Directive 95/46, beneath which member states had divergent nationwide legal guidelines and contracts have been the mechanism for binding processors to the relevant nationwide guidelines. The GDPR’s geographic scope – which now extends to non-EU/EEA suppliers – has largely eradicated that want. Direct authorized obligations on processors, enforceable by each controllers and supervisory authorities, would obtain the identical coverage goal with out the executive overhead, in response to noyb’s evaluation.

The survey information helps urge for food for this alteration. 85% of respondents agreed that processors, not controllers, maintain dominant market energy in most relationships – with AWS, Google and Microsoft cited as essentially the most outstanding examples. This creates an uncomfortable compliance construction wherein obligation sits with the get together that has the least precise leverage over processing operations. Some 80.4% of pros described present Article 28(3) contracts as “hardly enforceable” and amounting to mere “paper compliance.” The Fee issued Customary Contract Clauses by means of Implementing Determination (EU) 2021/915 to deal with the issue; 69.9% of respondents say these normal clauses haven’t solved the underlying problem.

The implications for the advertising and marketing expertise sector are materials. The EDPB and EDPS joint opinion of February 10, 2026 recognized issues in regards to the Digital Omnibus’s strategy to information safety. The joint opinion examined proposals that may place formal accountability on controllers whereas the processors able to driving compliance stay solely not directly sure. That structural pressure – which the noyb survey illustrates in quantitative phrases – stays unresolved.

Measurement issues, however the metric is fallacious

A considerable portion of the survey examined whether or not GDPR compliance operates pretty throughout corporations of various sizes. The brief reply, primarily based on the responses, is not any. The risk-based strategy constructed into the regulation was designed to present smaller controllers proportionate aid. In observe, in response to 82% of respondents, threat assessments carried out by controllers arrive at a predetermined consequence – functioning as a mechanism to legitimise present processing relatively than as a real test on high-risk actions.

The beneficiaries of interpretive flexibility are giant corporations with in-house authorized groups able to managing ambiguity. Smaller organisations, missing these sources, find yourself both over-complying at excessive price or working with vital authorized uncertainty. The survey discovered sturdy assist – 70% – for the view that the present guidelines are usually not strict sufficient for giant controllers, even though most respondents themselves work at organisations with 500 or extra workers.

Professionals do favour clearer thresholds, however not primarily based on worker numbers. The worker-count metric used elsewhere in EU legislation (for instance, the present 250-employee threshold for ROPA exemptions) is extensively seen as a poor proxy for precise information processing threat or capability. Respondents favour metrics tied to the variety of information topics affected. A tiered system – class A, B, and C controllers, differentiated by scale of information processing relatively than employees headcount – obtained broad assist because the extra workable different.

Schrems famous the irony: “For a few years, there’s a debate about ‘tiering’ the GDPR, with class A, B or C corporations. Proper now, a tiny non-profit like noyb usually falls beneath the identical guidelines as Google. As an alternative of doing so, the Fee desires so as to add versatile ‘threat’ parts to the legislation, which implies that most corporations would wish a lawyer to know if an Article applies to them.”

Whitelists, blacklists, and the demand for readability

The survey additionally examined urge for food for a structural reform that has circulated in educational and coverage discussions for years: publishing formal whitelists of permitted processing actions and blacklists of prohibited ones, modelled loosely on Article 5 of the AI Act.

The response was strongly constructive. 83.3% of pros stated they favoured a whitelist for processing actions. 91.1% favoured a blacklist. Each figures are increased than is perhaps anticipated in a occupation that always resists prescriptive guidelines. Extra remarkably, 79% of respondents stated a blacklist – the extra restrictive instrument – would save controllers “quite a lot of work,” and professionals didn’t take into account it an extreme limitation on controller freedom. Authorized certainty, the survey suggests, is valued above flexibility by individuals who need to navigate the legislation daily.

This discovering sits uncomfortably alongside the Fee’s route of journey. The Digital Omnibus leans closely on extending versatile “risk-based” assessments, including interpretive house the place practitioners report they most want readability. The present strategy beneath Articles 40 to 43, which offers for Codes of Conduct and Certifications as a softer type of steering, has seen restricted take-up in observe and isn’t seen as delivering equal certainty.

The noyb survey additionally discovered sturdy assist for pre-approved privateness coverage templates that may accompany whitelisted processing classes beneath Articles 13 and 14. It is a sensible proposal: standardised disclosures reviewed and accepted by supervisory authorities would cut back drafting prices, enhance high quality, and create extra predictable outcomes in enforcement – significantly for smaller corporations with out devoted authorized sources.

The transparency paradox

A associated discovering issues transparency obligations beneath Articles 13 and 14, which the Fee has additionally proposed to restrict. These provisions – requiring controllers to publish details about their information processing in accessible kind – ranked excessive in workload but in addition excessive in usefulness. Company information safety professionals weren’t calling for these obligations to be lower; they have been asking for standardised instruments to make compliance extra environment friendly.

That may be a totally different request. Lowering the requirement to reveal processing actions would take away a burden whereas additionally eradicating a safety. Offering accepted templates would cut back the burden whereas preserving the safety. The professionals’ choice was clearly for the second strategy. The EDPB and EDPS joint opinion reached broadly comparable conclusions from a regulatory perspective, warning that limitations on transparency articles would weaken relatively than streamline the framework.

For advertisers and advertising and marketing expertise corporations, transparency necessities are usually not merely an administrative formality. The lawfulness of many monitoring and focusing on practices is determined by customers receiving correct details about information assortment on the level of seize. An Austrian authority ruling from 2025 towards YouTube confirmed how insufficient responses to Article 15 requests – together with offering information in machine-readable JSON codecs relatively than human-readable kind – can represent violations unbiased of the underlying processing query. If entry rights are curtailed on the legislative stage, enforcement of these obligations turns into structurally more durable.

Implications for advertising and marketing and promoting expertise

This survey issues for the digital advertising industry for a number of causes past the precise GDPR provisions beneath evaluation.

The whole consent infrastructure underpinning programmatic promoting – the IAB’s Transparency and Consent Framework, consent administration platforms, publisher-level consent alerts – rests on the belief that information topics have sure enforceable rights. Narrowing Article 15 reduces customers’ sensible capacity to confirm whether or not consent was correctly obtained and whether or not their information is being processed as disclosed. A weaker proper of entry makes it more durable to determine violations, which in flip reduces the motivation for platforms and advertisers to keep up clear information practices.

The Article 28 processor contract problem additionally has direct promoting expertise implications. Cloud hyperscalers that host promoting infrastructure – significantly AWS, Google Cloud and Microsoft Azure – are among the many processors that 85% of respondents stated maintain dominant market energy over controllers. If these processors can’t be instantly obligated beneath the GDPR, compliance enforcement travels by means of the controller layer, which frequently lacks the sensible leverage to compel adjustments to processor behaviour. Data protection authorities have not always enforced the GDPR effectively against Big Tech, and the noyb survey information suggests the Article 28 contract mechanism is just not filling the hole.

The tiering query is equally related. The Netherlands raised concerns about the Digital Omnibus in late 2025, and member state opposition to essentially the most aggressive reform proposals might form what ultimately emerges from trilogue. A system that locations stricter obligations on giant controllers – outlined by variety of information topics relatively than worker rely – would instantly have an effect on main promoting platforms, which course of private information at scale. Very giant on-line platforms already face extra obligations beneath the Digital Companies Act; aligning GDPR tiering with user-scale metrics would lengthen that logic into information safety legislation.

Schrems characterised the general package deal in stark phrases: “The Omnibus is not only on the fallacious observe for customers, but in addition for many companies. In some ways now we have a ‘loose-loose’ proposal.”

noyb is evident that this survey marks a place to begin relatively than a conclusion. The proof base it offers – 510 professionals throughout 28 jurisdictions, overlaying each main GDPR article by way of workload and profit – is designed to tell the legislative negotiations that may decide whether or not the Digital Omnibus improves or worsens the compliance setting for European companies. The organisation has already secured EU-wide collective redress authority, accepted by the Austrian Federal Cartel Lawyer on December 2, 2024, and the Irish Ministry of Justice on October 11, 2024, enabling it to pursue enforcement actions alongside its coverage work.

Timeline

• July 3 – July 14, 2025 – noyb collects 1,190 survey responses from DPOs and privateness professionals through social media and GDPRtoday e-newsletter; 510 responses validated after high quality filtering
• July 17, 2025 – noyb files GDPR complaints against WeChat, AliExpress and TikTok for Article 15 entry proper violations
• July 23, 2025 – CNIL publishes research on economic benefits of DPO appointments primarily based on survey of three,625 organisations
• August 30, 2025 – Austrian authority orders YouTube to comply with data access request in five-year Article 15 case
• September 16, 2025 – European Commission opens public consultation on Digital Omnibus, focusing on 25% administrative burden discount for all corporations and 35% for SMEs
• October 23, 2025 – Germany submits comprehensive GDPR reform proposal to the European Fee
• November 2025 – European Commission circulates internal draft amendments displaying Digital Omnibus GDPR proposals
• December 13, 2025 – Netherlands raises serious concerns about Digital Omnibus privateness adjustments, warning adjustments exceed real simplification
• February 10, 2026 – EDPB and EDPS publish joint opinion rejecting Digital Omnibus proposals that would cut private information protections
• March 5, 2026 – noyb publishes survey findings and media launch: “GDPR Omnibus: EU ‘simplification’ far faraway from actual enterprise wants”

Abstract

Who: noyb – European Centre for Digital Rights, the Vienna-based non-profit chaired by Max Schrems, carried out the survey. Respondents have been 510 Information Safety Officers, information safety managers, attorneys and consultants working in organisations topic to the GDPR throughout 28 jurisdictions.

What: A survey of privateness professionals discovered that the European Fee’s Digital Omnibus proposal – which seeks to limit the Proper of Entry beneath Article 15, restrict automated decision-making protections beneath Article 22, and cut back transparency obligations – doesn’t mirror the areas the place DPOs and compliance employees spend most of their time. The very best workload falls on information of processing actions (Article 30), information safety affect assessments (Article 35), and processor contracts (Articles 28 and 29). Professionals favour whitelists and blacklists for processing actions, clearer size-based thresholds tied to person numbers relatively than worker counts, and direct GDPR obligations for processors.

When: Survey information was collected between July 3 and July 14, 2025. The findings have been printed and distributed to media on March 5, 2026.

The place: The survey reached DPOs and privateness professionals predominantly primarily based within the EU/EEA, distributed through noyb’s social media accounts and the GDPRtoday e-newsletter (13,000+ enterprise subscribers). The findings have been printed by noyb.eu in Vienna, Austria.

Why: The European Fee’s Digital Omnibus initiative, printed as a part of a broader EU competitiveness agenda, proposes amendments to the GDPR framed as decreasing regulatory burden. noyb carried out the survey to check whether or not these proposals correspond to the precise compliance challenges going through companies, and located a big mismatch between the Fee’s acknowledged targets and what professionals on the bottom determine as their most time-consuming obligations.