The GDPR follows a risk-based approach [Kachel PC.17]. This means that the obligations of the controller should be reduced in the case of low-risk data processing. In practice, however, this approach is hardly used by data protection supervisory authorities and data processors (for various reasons).

In order to create legal certainty, low-risk data processing should be exempted from obligations on the basis of the opening clauses of the GDPR and data protection supervisory authorities should be encouraged to promote the use of data in the sense of the GDPR.