GSMA和Connect Europe：关于简化GDPR的主要信息

October2025 GENERAL REMARKS ConnectEurope and the GSMA welcome European Commission’s focus onSimplification as an opportunity to enhance European Competitiveness, help EUcompanies to innovate and preserve the rights of EU citizens. A well-designed, fit-for-purposesimplificationoftheGDPR would enhance legalcertainty, reduce administrative burden,andhelp to responsibly innovate withoutlowering the high level of data protection in the EU. GDPRisa cornerstone oftheEU digital frameworkas well as aglobal standard.While GDPR core principles remain solid and future-proof,there are areas forimprovement asits practical implementation has beenrevealedto beoverlycomplex andsets outunnecessarily burdensome requirements. Theaccumulatedexperience aftertheGDPRentering into application for sevenyearspresents an opportunity to refine how the GDPRshould beappliedanditseffectivenessbe strengthened,without compromising its foundational goals, andwithoutabroader reopening of the Act. SOME PROPOSALS TO STREAMLINEAPPLICATION OFGDPR More focus on Risk Based Approach GDPR was designed with a risk-based approach to tailor compliance obligationsbased on actual risks to individuals' rights and freedoms. Overly rigid interpretationshave sidelined this principle, defaulting to precautionary measures.Clarifyingandharmonizingrisk evaluation criteria across Member Statesshould be considered,including factors such as scale, sensitivity, safeguards, and likelihood of harm. Thiswould reduce legal uncertainty and regulatory fragmentation. More focus onaRisk-BasedApproachwould: -Significantlyreduce administrative burden-Ensurebetter allocation of companies’ resources-Betterposition EUcompanies to innovate and compete globally Risk Based Approachon International Data Transfers A well-understood Risk-Based Approach should also apply across Chapter V tofacilitatethe secure international transfer of data,getting rid of additionalrequirements introduced by DPAs that are not proportionate to the potential risk ofthe transfer. Currentpractice has placeda disproportionate focuson this area,oftenintroducingadditional requirementsfrom DPAs that are not aligned with the actualrisk of the transfer. This has led to a perception thatcompliance is unattainable, particularly duetogeopolitical factors beyond the controller’s control.A more balancedinterpretation grounded in risk and proportionality would restore legal certainty andallow organizations to focus on meaningful safeguards rather than exhaustiveformalities. New approach to the concept ofpersonal data(Recital26GDPR) To promote consistency andaharmonized applicationacross the EU,Recital 26GDPRshouldreflectthe subjective interpretation of the concept of personal data,as confirmedbyECJ Jurisprudence1. EDPBGuidelines 1/2025 on Pseudonymisation recognize that data remainspersonal when it can be linked back to an individual using additional information, aposition we support. However, this approach should be further refined in light of theCJEU’s recent SRB case (C-413/23 P, 4 September 2025), which confirms thatthequalification of data as personal depends on theperspective of theentityconducting the analysis. For thesame set of pseudonymised data, thesendermay have reasonable meansto re-identify individuals, making it personal data for them.However,therecipient,lacking such means, may not be processing personal data. This distinction is crucialand should be reflected in practice toreduce unnecessary administrative burdens. Even though the CJEU concluded that GDPR obligations apply from the perspectiveof the entity capable of re-identification,alternative approaches such aslighterGDPR implementation should be considered when data is shared with entitiesthatcannot reasonably re-identify individuals.For example,inclinical trials,statistical service providers working only with pseudonymised data should not besubject to the same compliance burden as processors with access to identifyinginformation. Controllers sharingdata with such entities should benefit from a lighterimplementation of the GDPR. In such cases, alighter compliance regime,also forentities sharing pseudonymised data (e.g., simplified or no DPA),would encourageabroader adoption ofstrong pseudonymisation techniques, while maintainingrobust protection for data subjects. Embedding this nuancedECJ jurisprudencewithinaGDPRRecitalwould introducethenecessary flexibility in the application of thelaw andunlock significant potentialfordata innovation,analytics,and Artificial Intelligence uses,withoutcompromising data subject rights. Practical Challenges: Right of Access under Article 15 GDPR An area of concern is the practical implementation of the right of access underArticle 15 GDPR, particularly in light of interpretations by the CJEU (Case C-154/21),which confirms that, upon request, data controllers must disclose the actualidentity ofrecipients of personal data, unless doing so is impossible or the requestis manifestly unfounded or