ARTICLE
29 May 2025

Proposed GDPR Simplifications For SMEs And SMCs

AP
Arnold & Porter

Contributor

Arnold & Porter logo
Arnold & Porter is a firm of more than 1,000 lawyers, providing sophisticated litigation and transactional capabilities, renowned regulatory experience and market-leading multidisciplinary practices in the life sciences and financial services industries. Our global reach, experience and deep knowledge allow us to work across geographic, cultural, technological and ideological borders.
Explore Firm Details
SMEs are organizations which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million
United States Food, Drugs, Healthcare, Life Sciences
Alexander Roussanov,Jami Mills Vibbert, and Camille Vermosen
Your Author LinkedIn Connections

On 21 May 2025, the European Commission published its Proposal for a Regulation ("Proposal"), amending several existing regulations, including the General Data Protection Regulation (EU) 2016/67 ("GDPR"), to simplify obligations for small and medium-sized enterprises ("SMEs") and extend certain mitigating measures to small mid-cap enterprises ("SMCs").

What is considered to be an SME and SMC

SMEs are organizations which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million. 1

According to the Proposal, SMCs are organizations that have outgrown the SME definition but are still considered small enough in order to enjoy certain simplified obligations, with a size threshold being about three times that of SMEs (yet to be precisely defined in the legislative process).

The proposed GDPR simplifications

  • Article 30 GDPR (Records of processing activities): The GDPR mandates that data controllers and processors maintain records of their processing activities ("ROPA"). Currently, SMEs and organizations with under 250 employees are exempt from this obligation unless the data processing is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional or the processing includes special categories of data or criminal conviction and offence data. The Proposal seeks to simplify the obligation by making ROPA mandatory for SMEs only when processing is likely to result in a high risk to individuals. Simultaneously, the Proposal aims to broaden this exemption to include SMCs and organizations with fewer than 750 employees.
  • Articles 40 and 42 GDPR (Codes of conduct and Certification): Articles 40 and 42 GDPR currently encourage the development of codes of conduct and certification mechanisms, respectively, while requiring consideration of the specific needs of SMEs. The Proposal aims to extend the scope of these provisions to explicitly include SMCs, ensuring that their specific needs are also taken into account when drawing up codes of conduct and establishing data protection certification mechanisms, thereby necessitating the addition of a reference to SMCs in those articles.

Practical implications

  • No ROPA if qualified as SME or SMC, unless processing activity is considered 'high risk': If an entity is considered to be an SME or SMC in the EU, such entity would not be required to establish and maintain a ROPA on the condition that the processing activities are not likely to result in a 'high risk' to data subjects' rights and freedoms.
  • Processing of special categories of data could be 'high risk': For the definition of what constitute a 'high risk', the Proposal refers to Article 35 GDPR on data protection impact assessments ("DPIA"). Article 35 GDPR refers to the processing of special categories of data, including health data, as one of the required situations to conduct a DPIA. This suggest that when processing special categories of data, there may be a high risk to the rights and freedoms of data subjects' rights.
  • SMEs or SMCs in the life sciences sector not automatically exempted from ROPA obligation: Therefore, the exemption under the Proposal to install a ROPA will not automatically apply to SMEs and SMCs operational in the life sciences sector when processing data concerning health, as these activities may be interpreted as 'high risk' to the rights and freedoms of data subjects. The GDPR generally mandates strict application when handling sensitive information, including health data.

Next steps

This Proposal will now be submitted to the European Parliament and the Council of the EU for their consideration and adoption over the coming months. It is important to highlight that both institutions can introduce additional amendments to the GDPR that were not currently included in the Proposal of the European Commission.

Footnote

1. SeeArticle 2.1 Commission Recommendation 2003/361/ EC, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32003H0361.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Alexander Roussanov
Alexander Roussanov
Photo of Jami Mills Vibbert
Jami Mills Vibbert
Photo of Camille Vermosen
Camille Vermosen
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More