On 21 May 2025, the European Commission (the Commission) published its fourth Omnibus Proposal. We previously published an introductory blog on the Omnibus Proposals. This time, the proposal includes, among other things, a simplification of the GDPR as part of the broader omnibus package for small and medium-sized enterprises. This reform mainly provides relief for smaller organisations. What are the key points?
Please note: this arrangement is a proposal currently before the Council of the European Union for first reading. The rules are therefore not yet applicable.
In short
The Commission proposes to extend the exemption from the obligation to maintain a record of processing activities under the GDPR. This exemption would then apply not only to SMEs (up to and including 250 employees), but also to SMCs (up to and including 750 employees).
Want more detail? Read on.
Why this proposal?
The Commission explains that smaller organisations should not be burdened with unnecessary obligations and aims to stimulate their growth. Among other things, the (controversial) Draghi report shows that small and medium-sized enterprises (SMEs) and small mid-caps (SMCs) bear a disproportionate burden compared to larger organisations when it comes to European regulation. The effort required to comply with EU legislation is said to hinder the growth of these organisations, and that is precisely what the EU does not want at this moment.
Terminology
SMEs are undertakings with fewer than 250 employees, an annual turnover of no more than EUR 50 million, or a balance sheet total of no more than EUR 43 million (according to the definition in the relevant legislation).
SMCs are organisations three times the size of an SME, meaning fewer than 750 employees and a turnover of up to EUR 150 million or a balance sheet total of up to EUR 129 million.>
The aim of this proposal is to place SMCs on an equal footing with SMEs. Although larger, these organisations are often still in a growth phase, according to the Commission.
The extension and clarification of the record-keeping exemption
Under the GDPR, organisations that process personal data must maintain a record of processing activities (Article 30 GDPR). SMEs are exempt from this obligation (Article 30(5) GDPR), unless the processing is likely to result in a high risk, is not occasional, or involves special categories of personal data. The proposal revises this exemption and introduces the above-mentioned new category of undertakings, the SMCs.
Specifically, the Commission proposes to clarify the exemption and to require a record only where an SME or SMC carries out processing that is likely to result in a high risk to data subjects. In other words, if processing is likely to present a high risk, both SMEs and SMCs must record those processing activities in accordance with Article 30 GDPR. When assessing whether processing is likely to result in a high risk, the same considerations apply as when determining whether a Data Protection Impact Assessment (Article 35 GDPR) is required, or whether the processing involves special categories of personal data for the purposes of carrying out obligations or exercising specific rights of the controller or the data subject in the field of employment, social security, or social protection law (Article 9(2)(b) GDPR). In short, this concerns high-risk processing.
Based on the current wording proposed by the Commission, it therefore appears that, even in the case of non-occasional processing, SMEs and SMCs would not be required to maintain a record. Note, however, that this is not binding until a final text and interpretation are adopted. The amendment proposed by the Commission to Article 30(5) GDPR reads as follows: “5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or organisation employing fewer than 750 persons unless the processing it carries out is likely to result in a high risk to the rights and freedoms of natural persons within the meaning of Article 35.” How this will ultimately be implemented therefore remains unclear.
A significant relief?
With this proposal, the Commission substantially broadens the exemption, from organisations with 250 employees to those with up to 750 employees. This brings many more organisations within scope. While mapping data flows at the introduction of the GDPR was a major undertaking for many established, larger organisations, this was less so for smaller organisations that were already GDPR-aware. Even so, this proposal essentially provides relief for “smaller” (or rather, non-large) organisations.
Remain vigilant, however. It remains essential to assess per processing activity whether there is (likely) a high risk to data subjects, for example when special categories of personal data are involved. In such cases, a DPIA remains mandatory, and so does the record of processing activities. For this assessment, also consult the list published by the Dutch supervisory authority of processing operations for which a DPIA is required. Want to know more about developments around the omnibus packages? See our introductory blog, which also discussed the postponement of the CSRD and the CSDDD.
Need help carrying out a DPIA? Our experts are happy to assist.
