On 21 May 2025, the European Commission ("Commission") published a proposal to amend the General Data Protection Regulation ("GDPR") as part of its broader Omnibus Package IV. This initiative aims to simplify compliance for small mid-cap companies ("SMCs"), in line with the more flexible rules already available to small and medium-sized enterprises ("SMEs"). The proposed regulation would update several EU legal acts, including the GDPR, to reduce administrative burdens and make it easier for smaller businesses to operate across the EU.
What's changing under the proposal?
One of the key changes in the Commission's Proposal is the formal introduction of definitions for SMEs and SMCs into the GDPR. These would be added to Article 4 by reference to existing EU recommendations:
- SMEs are defined under Commission Recommendation 2003/361/EC as businesses with fewer than 250 employees and an annual turnover not exceeding EUR 50 million or a balance sheet total not exceeding EUR 43 million.
- SMCs (small mid-cap companies), introduced by Commission Recommendation 2025/1099 of 21 May 2025, are defined as companies with fewer than 750 employees and either an annual turnover below EUR 150 million or a balance sheet total below EUR 129 million — but which do not qualify as SMEs.
The most significant change (and the focus of this article) is the proposed amendment to Article 30(5) GDPR, which addresses the obligation to maintain a record of processing activities (¨RoPA¨). Under the Proposal, the exemption from keeping a RoPA would be extended to organisations with fewer than 750 employees, unless their processing is likely to result in a high risk to the rights and freedoms of individuals.
Importantly, the proposal removes the current condition that the RoPA exemption only applies if processing is "occasional" and does not involve special categories of data (Article 9(1)) or data on criminal convictions and offences (Article 10). These limitations have, in practice, made the current exemption largely unusable, especially since most organisations engage in regular or systematic processing of personal data.
By eliminating these conditions, the Commission aims to make the RoPA exemption more accessible in practice – particularly for SMCs and SMEs that are subject to regular but low-risk data processing.
Finally, the proposal also amends Articles 40(1) and 42(1) GDPR to include explicit references to SMEs and SMCs. This is intended to ensure that these categories of businesses are considered when developing codes of conduct and certification mechanisms, encouraging more tailored and proportionate compliance tools.
What do the EDPB and EDPS say?
Shortly after the proposal was published, the European Data Protection Board (¨EDPB¨) and the European Data Protection Supervisor (¨EDPS¨) issued Joint Opinion 01/2025. While broadly supportive of the Commission's goal to ease compliance burdens for smaller businesses, the two authorities flagged several important concerns and made targeted recommendations.
One of the main criticisms is that the proposal lacks a proper assessment of its impact on fundamental rights, particularly the right to data protection. Given the nature of the changes, especially around core accountability obligations like the RoPA, the EDPB and EDPS argue that this omission should be addressed, ideally in the recitals of the final regulation.
The authorities also questioned the choice of the 750-employee threshold. The original draft had suggested 500 employees, but the final Proposal offered no explanation for the increase. Since this figure underpins the definition of SMCs, a clear rationale would help ensure consistency and transparency.
Another issue raised is a potential inconsistency between the proposal's recitals and the actual legal text. While Recital 9 states that the RoPA exemption is intended specifically for SMEs and SMCs, the new Article 30(5) refers only to organisations with fewer than 750 employees, without mentioning those categories explicitly. This means that businesses outside the formal definitions of SMEs and SMCs, but under the employee threshold, might benefit from the exemption, which may contradict the Commission's original intent. While a contextual reading could still support a narrow interpretation, greater legal certainty would be welcome in practice.
The EDPB and EDPS also made recommendations for both the Commission and data controllers. For controllers, the key message is caution: even if the new rules would exempt many SMCs (an estimated 38,000 across the EU) from maintaining a RoPA, the supervisory authorities strongly recommend keeping the register voluntarily. This is because:
- Controllers are still required to assess whether a processing activity is likely to result in a high risk to individuals.
- The use of special categories of data (Article 9(1)) or data relating to criminal offences (Article 10) remains highly relevant to that risk analysis, even though the Proposal removes explicit references to these articles in Article 30(5).
For the Commission, the EDPB emphasized that any simplification must be proportionate, necessary, and balanced. They also recommend adding a recital to clarify that the term "organisation" used in Article 30(5) should not include public authorities, which would ensure that these entities remain subject to the RoPA obligation and avoid any ambiguity in enforcement.
Potential risks and open questions
While the Proposal's objective, namely reducing compliance burdens for smaller businesses, is more than welcome, several risks and uncertainties remain. As highlighted by the EDPB and EDPS in their Joint Opinion, the proposal requires further clarification and adjustment to fully deliver on its intended purpose.
A key concern relates to legal clarity. The current text does not specify whether a single high-risk processing activity would trigger the RoPA obligation for all processing activities within an organisation, even those that, on their own, do not involve a high risk. This ambiguity could create compliance confusion and undermine the predictability of the framework.
The decision to raise the employee threshold to 750 also introduces practical risks. In data-driven industries, this change could lead some companies to treat the RoPA as an optional tool, particularly if they can justify that their processing activities do not pose a high risk. In such cases, the core GDPR principle of accountability may be weakened, as RoPA plays a central role in demonstrating compliance.
Another risk is more strategic: by removing early-stage obligations like the RoPA, the proposal could disincentivize early investments in GDPR compliance by new or growing companies. While this lowers short-term administrative effort, it may result in higher costs and implementation challenges later on, when data processing operations become more complex and oversight increases. In this sense, a more cautious threshold (possibly lower than 750 employees) could offer a better balance between easing burdens and preserving accountability.
In conclusion, while the proposal takes meaningful steps toward making the GDPR more workable for smaller businesses, it must be fine-tuned to avoid unintended consequences. Ensuring legal certainty and reinforcing the long-term importance of accountability will ultimately make the framework more robust and business friendly. The Commission's challenge now is to align simplification with safeguards so that GDPR compliance remains not just lighter, but also more effective and future-proof for the full range of organisations it covers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
