A survey of 510 data protection officers published today by noyb - European Centre for Digital Rights reveals a sharp disconnect between the European Commission's Digital Omnibus proposals and what privacy professionals working inside companies say would actually reduce their compliance burden. The findings, drawn from responses collected between July 3 and July 14, 2025, challenge the Commission's stated rationale for some of the most contentious elements of its GDPR reform package.

The Vienna-based non-profit, which has filed around 800 enforcement cases against companies including Google, Apple, Facebook and Amazon since its founding, distributed the survey through its social media accounts and the GDPRtoday newsletter, which reaches more than 13,000 business subscribers. Responses were collected from DPOs, data protection managers, lawyers and consultants across the EU and EEA. After filtering out incomplete responses - those answering fewer than 75% of questions - and participants working in companies not subject to the GDPR, 510 valid responses remained from professionals spanning 28 jurisdictions.

The geographic spread was uneven. Ireland, Denmark and Germany were over-represented; Italy, Spain and Poland under-represented. Half of all respondents worked for organisations with 500 or more employees - a skew noyb acknowledges makes the sample unrepresentative of the overall controller population, which consists largely of small and medium enterprises. Despite that limitation, the organisation argues the results offer a useful evidence base for the debate sparked by the Digital Omnibus, which the Commission published in early 2026 after years of pressure from industry groups and member states including Germany.

The Commission's targets are not the professionals' pain points

The central finding is straightforward: the articles the Commission proposes to restrict are not, by and large, the ones generating the most work for people on the ground.

Data subject rights under Articles 15 to 21 ranked comparably low in workload across the survey. More than 70% of respondents said the Right of Access under Article 15 generates only "some," "little," or no work at all. At the same time, the same professionals rated it as one of the more useful instruments for protecting individuals. The gap between that assessment and the Commission's proposal to restrict Article 15 is striking. According to noyb, this makes sense in practice: most controllers rarely receive subject access requests, while the organisations that do - large technology platforms, data brokers, credit reference agencies - have generally automated their SAR processes to handle volume efficiently.

The Commission has separately proposed to limit Article 22, which covers automated decision-making. According to the survey, that provision also ranked exceptionally low in workload terms, with most controllers reporting they do not engage in automated decision-making in any form that would trigger the article's requirements.

What does generate workload? Records of processing activities under Article 30 topped the list. Data protection impact assessments under Article 35 ranked second. Security obligations under Article 32 and processor monitoring obligations under Articles 28 and 29 were also high. These are the areas where professionals spend the most time. Yet the Commission's omnibus package addresses most of them only at the margins. The proposal to raise the employee threshold for the Article 30(5) exemption from record-keeping from 250 to 750 staff is unlikely to have meaningful impact, according to noyb, because 43% of professionals working at companies with fewer than 250 employees already maintain ROPAs voluntarily.

Max Schrems, Chairperson of noyb, described the gap in blunt terms. "This study shows an enormous gap between the needs of real people working on compliance every day and the problems pushed by the 'Brussels lobby bubble'. We are not helping normal EU business here - the Commission proposal often even cuts into what professionals see as useful."

Article 28 and the millions of contracts no one reads

One area where the survey does find substantial appetite for reform is processor contracts governed by Article 28(3) GDPR. With roughly 30 million EU businesses each managing multiple data processing relationships, the total number of such contracts in circulation likely exceeds 100 million. Every one of them is required by law to contain the same standard elements, producing what noyb describes as an industrial-scale copy-and-paste exercise.

The underlying rationale for this requirement is largely historical. Article 28(3) traces its structure back to Directive 95/46, under which member states had divergent national laws and contracts were the mechanism for binding processors to the applicable national rules. The GDPR's geographic scope - which now extends to non-EU/EEA providers - has largely eliminated that need. Direct legal obligations on processors, enforceable by both controllers and supervisory authorities, would achieve the same policy objective without the administrative overhead, according to noyb's analysis.

The survey data supports appetite for this change. 85% of respondents agreed that processors, not controllers, hold dominant market power in most relationships - with AWS, Google and Microsoft cited as the most prominent examples. This creates an uncomfortable compliance structure in which legal responsibility sits with the party that has the least actual leverage over processing operations. Some 80.4% of professionals described current Article 28(3) contracts as "hardly enforceable" and amounting to mere "paper compliance." The Commission issued Standard Contract Clauses through Implementing Decision (EU) 2021/915 to address the problem; 69.9% of respondents say those standard clauses have not solved the underlying issue.

The implications for the marketing technology sector are material. The EDPB and EDPS joint opinion of February 10, 2026 identified concerns about the Digital Omnibus's approach to data protection. The joint opinion examined proposals that would place formal responsibility on controllers while the processors capable of driving compliance remain only indirectly bound. That structural tension - which the noyb survey illustrates in quantitative terms - remains unresolved.

Size matters, but the metric is wrong

A substantial portion of the survey examined whether GDPR compliance operates fairly across companies of different sizes. The short answer, based on the responses, is no. The risk-based approach built into the regulation was designed to give smaller controllers proportionate relief. In practice, according to 82% of respondents, risk assessments conducted by controllers arrive at a predetermined outcome - functioning as a mechanism to legitimise existing processing rather than as a genuine check on high-risk activities.

The beneficiaries of interpretive flexibility are large companies with in-house legal teams capable of managing ambiguity. Smaller organisations, lacking those resources, end up either over-complying at high cost or operating with significant legal uncertainty. The survey found strong support - 70% - for the view that the current rules are not strict enough for large controllers, despite the fact that most respondents themselves work at organisations with 500 or more employees.

Professionals do favour clearer thresholds, but not based on employee numbers. The employee-count metric used elsewhere in EU law (for example, the current 250-employee threshold for ROPA exemptions) is widely seen as a poor proxy for actual data processing risk or capacity. Respondents favour metrics tied to the number of data subjects affected. A tiered system - class A, B, and C controllers, differentiated by scale of data processing rather than staff headcount - received broad support as the more workable alternative.

Schrems noted the irony: "For many years, there is a debate about 'tiering' the GDPR, with class A, B or C companies. Right now, a tiny non-profit like noyb generally falls under the same rules as Google. Instead of doing so, the Commission wants to add flexible 'risk' elements to the law, which means that most companies would need a lawyer to know if an Article applies to them."

Whitelists, blacklists, and the demand for clarity

The survey also tested appetite for a structural reform that has circulated in academic and policy discussions for years: publishing formal whitelists of permitted processing activities and blacklists of prohibited ones, modelled loosely on Article 5 of the AI Act.

The response was strongly positive. 83.3% of professionals said they favoured a whitelist for processing activities. 91.1% favoured a blacklist. Both figures are higher than might be expected in a profession that often resists prescriptive rules. More remarkably, 79% of respondents said a blacklist - the more restrictive instrument - would save controllers "a lot of work," and professionals did not consider it an excessive limitation on controller freedom. Legal certainty, the survey suggests, is valued above flexibility by people who have to navigate the law every day.

This finding sits uncomfortably alongside the Commission's direction of travel. The Digital Omnibus leans heavily on extending flexible "risk-based" assessments, adding interpretive space where practitioners report they most need clarity. The current approach under Articles 40 to 43, which provides for Codes of Conduct and Certifications as a softer form of guidance, has seen limited take-up in practice and is not seen as delivering equivalent certainty.

The noyb survey also found strong support for pre-approved privacy policy templates that would accompany whitelisted processing categories under Articles 13 and 14. This is a practical proposal: standardised disclosures reviewed and approved by supervisory authorities would reduce drafting costs, improve quality, and create more predictable outcomes in enforcement - particularly for smaller companies without dedicated legal resources.

The transparency paradox

A related finding concerns transparency obligations under Articles 13 and 14, which the Commission has also proposed to limit. These provisions - requiring controllers to publish information about their data processing in accessible form - ranked high in workload but also high in usefulness. Corporate data protection professionals were not calling for these obligations to be cut; they were asking for standardised tools to make compliance more efficient.

That is a different request. Reducing the requirement to disclose processing activities would remove a burden while also removing a protection. Providing approved templates would reduce the burden while preserving the protection. The professionals' preference was clearly for the second approach. The EDPB and EDPS joint opinion reached broadly similar conclusions from a regulatory perspective, warning that limitations on transparency articles would weaken rather than streamline the framework.

For advertisers and marketing technology companies, transparency requirements are not merely an administrative formality. The lawfulness of many tracking and targeting practices depends on users receiving accurate information about data collection at the point of capture. An Austrian authority ruling from 2025 against YouTube showed how inadequate responses to Article 15 requests - including providing data in machine-readable JSON formats rather than human-readable form - can constitute violations independent of the underlying processing question. If access rights are curtailed at the legislative level, enforcement of those obligations becomes structurally harder.

Implications for marketing and advertising technology

This survey matters for the digital advertising industry for several reasons beyond the specific GDPR provisions under review.

The entire consent infrastructure underpinning programmatic advertising - the IAB's Transparency and Consent Framework, consent management platforms, publisher-level consent signals - rests on the assumption that data subjects have certain enforceable rights. Narrowing Article 15 reduces users' practical ability to verify whether consent was properly obtained and whether their data is being processed as disclosed. A weaker right of access makes it harder to identify violations, which in turn reduces the incentive for platforms and advertisers to maintain clean data practices.

The Article 28 processor contract issue also has direct advertising technology implications. Cloud hyperscalers that host advertising infrastructure - particularly AWS, Google Cloud and Microsoft Azure - are among the processors that 85% of respondents said hold dominant market power over controllers. If those processors cannot be directly obligated under the GDPR, compliance enforcement travels through the controller layer, which often lacks the practical leverage to compel changes to processor behaviour. Data protection authorities have not always enforced the GDPR effectively against Big Tech, and the noyb survey data suggests the Article 28 contract mechanism is not filling the gap.

The tiering question is equally relevant. The Netherlands raised concerns about the Digital Omnibus in late 2025, and member state opposition to the most aggressive reform proposals may shape what eventually emerges from trilogue. A system that places stricter obligations on large controllers - defined by number of data subjects rather than employee count - would directly affect major advertising platforms, which process personal data at scale. Very large online platforms already face additional obligations under the Digital Services Act; aligning GDPR tiering with user-scale metrics would extend that logic into data protection law.

Schrems characterised the overall package in stark terms: "The Omnibus is not just on the wrong track for users, but also for most businesses. In many ways we have a 'loose-loose' proposal."

noyb is clear that this survey marks a starting point rather than a conclusion. The evidence base it provides - 510 professionals across 28 jurisdictions, covering every major GDPR article in terms of workload and benefit - is designed to inform the legislative negotiations that will determine whether the Digital Omnibus improves or worsens the compliance environment for European businesses. The organisation has already secured EU-wide collective redress authority, approved by the Austrian Federal Cartel Attorney on December 2, 2024, and the Irish Ministry of Justice on October 11, 2024, enabling it to pursue enforcement actions alongside its policy work.

Timeline

Summary

Who: noyb - European Centre for Digital Rights, the Vienna-based non-profit chaired by Max Schrems, conducted the survey. Respondents were 510 Data Protection Officers, data protection managers, lawyers and consultants working in organisations subject to the GDPR across 28 jurisdictions.

What: A survey of privacy professionals found that the European Commission's Digital Omnibus proposal - which seeks to restrict the Right of Access under Article 15, limit automated decision-making protections under Article 22, and reduce transparency obligations - does not reflect the areas where DPOs and compliance staff spend most of their time. The highest workload falls on records of processing activities (Article 30), data protection impact assessments (Article 35), and processor contracts (Articles 28 and 29). Professionals favour whitelists and blacklists for processing activities, clearer size-based thresholds tied to user numbers rather than employee counts, and direct GDPR obligations for processors.

When: Survey data was collected between July 3 and July 14, 2025. The findings were published and distributed to media on March 5, 2026.

Where: The survey reached DPOs and privacy professionals predominantly based in the EU/EEA, distributed via noyb's social media accounts and the GDPRtoday newsletter (13,000+ business subscribers). The findings were published by noyb.eu in Vienna, Austria.

Why: The European Commission's Digital Omnibus initiative, published as part of a broader EU competitiveness agenda, proposes amendments to the GDPR framed as reducing regulatory burden. noyb conducted the survey to test whether those proposals correspond to the actual compliance challenges facing businesses, and found a significant mismatch between the Commission's stated targets and what professionals on the ground identify as their most time-consuming obligations.

Share this article
The link has been copied!