EC Proposes GDPR Amendments to Simplify SME, SMC Compliance

The European Commission has introduced a new package of measures aimed at simplifying the Single Market and reducing bureaucracy: Simplifying the Single Market. These initiatives are intended to facilitate business operations, foster innovation, and support growth, all while upholding robust consumer and environmental protections.

On 21 May 2025, the European Commission published a draft Proposal for a Regulation amending several cornerstone EU Regulations, including:

• Regulation (EU) 2016/679, the General Data Protection Regulation (“GDPR”);
• Regulation (EU) 2016/1036 on the protection against dumped imports from countries not members of the European Union;
• Regulation (EU) 2016/1037 on the protection against subsidised imports from countries not members of the European Union;
• Regulation (EU) 2017/1129 on the prospectus to be published when securities are offered to the public or admitted to trading on a regulated market;
• Regulation (EU) 2023/1542 concerning batteries and waste batteries;
• Regulation (EU) 2024/573 on fluorinated greenhouse gases;

This legislative package is part of a broader strategy to strengthen the competitiveness and sustainable growth of the EU business sector, known as the Omnibus Package, with a particular focus on small and medium-sized enterprises (SMEs) and, for the first time, small mid-cap enterprises (SMCs). The initiative aims to ensure that companies transitioning beyond SME status are not subject to disproportionate compliance obligations, thereby supporting innovation, job creation, and economic resilience across the EU. This proposal presented on the 21^st of May 2025 is called the fourth Simplification Omnibus package.

For more information on the Omnibus Package:

Legal Flash | Towards the simplification of sustainability reporting

Post | European Commission proposal to amend CS3D Directive

Post | The EU Competitiveness Compass and the first omnibus proposals

Post | Omnibus I Proposal: amendment of environmental taxonomy

Post | Omnibus I and its impact on CS3D

Post | Approval of "Stop-the-Clock" Directive: impact on business

The proposed GDPR amendments are designed to make data protection obligations more proportionate for smaller organizations.

• Revised Record-Keeping Obligations

The scope of the record-keeping obligation in Article 30(5) of the GDPR has been revised:

• Enterprises and organizations with fewer than 750 employees are exempt from maintaining records of processing activities, unless these processing activities are likely to result in a high risk to the rights and freedoms of data subjects within the meaning of Article 35.
• This represents a significant increase from the previous threshold of 250 employees, reflecting the recognition that SMCs, like SMEs, often lack the resources to manage extensive compliance documentation.
• It also entails a significant broadening of the material scope of the exception, as it is now only limited to the fact that the processing is likely to result in a high risk – not merely a risk, as the original text sets forth. The conditions that the processing is not occasional or that it includes special categories of data have also been removed in the proposal.
• In the same vein, the amendment clarifies that processing special categories of personal data solely for employment or social security purposes does not, by itself, trigger the record-keeping obligation (Recital 10).

Impact: This targeted approach aims to alleviate unnecessary administrative tasks for organizations whose data processing activities are routine and low-risk, while maintaining robust safeguards where higher risks are present.

•  Sector-Specific Codes of Conduct and Certification Mechanisms

Further, the proposal amends Articles 40 and 42 to ensure that the development of sector-specific codes of conduct and data protection certification mechanisms explicitly takes into account the needs of SMCs, in addition to SMEs.

Benefit: This guarantees that organizations moving beyond SME status continue to benefit from tailored compliance support and practical guidance.

• Formal Definitions for SMEs and SMCs

The amendments also introduce formal definitions for both SMEs and SMCs within the GDPR.

SMEs are defined as enterprises which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million. On the other hand, on the European Commission Recommendation (EU) 2025/1099, SMCs are defined as companies which, according to their last annual or consolidated accounts, meet at least two of the following three criteria: (i) an average number of employees during the financial year of less than 750, a total balance sheet not exceeding EUR 129 000 000 and an annual net turnover not exceeding EUR 150 000 000; (ii) small mid-cap enterprises as defined in Article 4(1), point (13a), of Directive 2014/65/EU.

Result:  This aligns with existing EU recommendations and provides greater legal certainty and consistency across EU law.

These targeted amendments are intended to reduce administrative burdens and streamline compliance for SMEs and SMCs, while maintaining robust data protection standards.

By tailoring obligations to the size and risk profile of organizations, the European Commission seeks to foster a more dynamic and resilient business environment within the Single Market.