The guidelines and recommendations from national data protection authorities and EU bodies

France (CNIL): draft guidelines on provision and deployment of web filtering gateways

The French data protection authority (CNIL) launched a draft recommendation on 28 July 2025 to support data controllers deploying web filtering gateways and their providers. What is a web filtering gateway (or ‘web proxy filter’)? As defined in the draft recommendation, it is a “device or service used to control and monitor Internet access by filtering web content according to predefined policies”. It is used to block access to certain websites or categories of content for security and compliance reasons. 

In that sense, the recommendation applies to data controllers, public and private employers, who deploy web filtering solutions for the internet browsing in the professional context by their employees, agents, service providers or external visitors. Its aim is to assist employers in implementing such web filtering solutions in a GDPR compliant manner and to assist solution providers in implementing best practices from a security perspective. 

The recommendation (available here) is open for public consultation until 30 September 2025.

The Netherlands (AP): guidelines on meaningful human intervention in (automated) decision-making

The Dutch data protection authority (Autoriteit Persoonsgegevens) issued guidelines on meaningful human intervention in algorithmic (automated) decision-making (available here). Think for instance of a job application process, or the process to request a bank loan or insurance. It can of course not suffice for the human intervention to be limited to a mere click on the button at the very end of the decision-process. In this respect the guideline offers quite a lot of useful insights with practical questions for organisations to consider throughout to make the human intervention in the decision-making process as meaningful as possible. 

EU (EDPB/EDPS): joint opinion on simplification and expansion of exemption to keep a ROPA

On 21 May 2025, the European Commission issued a Proposal for a Regulation amending certain regulations, including the GDPR (available here). With respect to the GDPR, this proposal aims to simplify the existing exemption from the obligation to keep a record of processing activities (ROPA) as its usability in practice was more limited than intended. It also aims to broaden its scope so that not only small and medium enterprises (SMEs) can benefit from it but also the newly introduced category of ‘small mid-cap enterprises’ (SMCs). SMCs are bigger than SMEs, but smaller than large companies, and constitute a new intermediate category of company as per the Annex to the Commission Recommendation 2025/1099 of 21 May 2025 available here. 

In the proposed text, enterprises or organizations employing fewer than 750 persons are no longer required to keep a record of processing activities, except for those processing activities that are likely to result in a high risk to the rights and freedoms of data subjects within the meaning of Art. 35 GDPR (i.e. for which it is mandatory to conduct a data protection impact assessment). 

On 8 July 2025, the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have adopted a joint opinion on this proposal (available here). The EDPB and EDPS express their support of the general objective of the proposal to reduce the administrative burden for SMEs and SMCs. However among other points they request the legislator (i) to clarify why the threshold of 750 persons is more appropriate than the one of 500 employees initially considered, (ii) to refer in the exemption to the definitions of SMEs and SMCs which not only take into account employee count but also financial criteria, and (iii) to clarify that the exemption does not apply to public authorities and bodies. The EDPB and EDPS also stress that the consequences of the proposed changes to the GDPR on fundamental rights (i.e. the right to protection of personal data) need to be assessed.