On 21 May 2025, the European Commission published its Proposal for a Regulation (“Proposal”), amending several existing regulations, including the General Data Protection Regulation (EU) 2016/67 (“GDPR”), to simplify obligations for small and medium-sized enterprises (“SMEs”) and extend certain mitigating measures to small mid-cap enterprises (“SMCs”).
What is considered to be an SME and SMC
SMEs are organizations which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million.[1]
According to the Proposal, SMCs are organizations that have outgrown the SME definition but are still considered small enough in order to enjoy certain simplified obligations, with a size threshold being about three times that of SMEs (yet to be precisely defined in the legislative process).
The proposed GDPR simplifications
- Article 30 GDPR (Records of processing activities): The GDPR mandates that data controllers and processors maintain records of their processing activities (“ROPA”). Currently, SMEs and organizations with under 250 employees are exempt from this obligation unless the data processing is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional or the processing includes special categories of data or criminal conviction and offence data. The Proposal seeks to simplify the obligation by making ROPA mandatory for SMEs only when processing is likely to result in a high risk to individuals. Simultaneously, the Proposal aims to broaden this exemption to include SMCs and organizations with fewer than 750 employees.
- Articles 40 and 42 GDPR (Codes of conduct and Certification): Articles 40 and 42 GDPR currently encourage the development of codes of conduct and certification mechanisms, respectively, while requiring consideration of the specific needs of SMEs. The Proposal aims to extend the scope of these provisions to explicitly include SMCs, ensuring that their specific needs are also taken into account when drawing up codes of conduct and establishing data protection certification mechanisms, thereby necessitating the addition of a reference to SMCs in those articles.
Practical implications
- No ROPA if qualified as SME or SMC, unless processing activity is considered ‘high risk’: If an entity is considered to be an SME or SMC in the EU, such entity would not be required to establish and maintain a ROPA on the condition that the processing activities are not likely to result in a ‘high risk’ to data subjects’ rights and freedoms.
- Processing of special categories of data could be ‘high risk’: For the definition of what constitute a ‘high risk’, the Proposal refers to Article 35 GDPR on data protection impact assessments (“DPIA”). Article 35 GDPR refers to the processing of special categories of data, including health data, as one of the required situations to conduct a DPIA. This suggest that when processing special categories of data, there may be a high risk to the rights and freedoms of data subjects’ rights.
- SMEs or SMCs in the life sciences sector not automatically exempted from ROPA obligation: Therefore, the exemption under the Proposal to install a ROPA will not automatically apply to SMEs and SMCs operational in the life sciences sector when processing data concerning health, as these activities may be interpreted as ‘high risk’ to the rights and freedoms of data subjects. The GDPR generally mandates strict application when handling sensitive information, including health data.
Next steps
This Proposal will now be submitted to the European Parliament and the Council of the EU for their consideration and adoption over the coming months. It is important to highlight that both institutions can introduce additional amendments to the GDPR that were not currently included in the Proposal of the European Commission.
[1] See Article 2.1 Commission Recommendation 2003/361/ EC, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32003H0361.