On 21 May 2025, the European Commission unveiled its long-awaited fourth Simplification Omnibus package, which targets the General Data Protection Regulation (GDPR), the EU’s flagship data-protection legislation. The Commission states that its aim is to reduce bureaucracy and create a regulatory environment that drives innovation, growth, quality jobs and investment.
The following article outlines how the proposed GDPR simplification will achieve these objectives.
GDPR simplification
Article 30 of the GDPR states that each controller and processor must maintain a record of processing activities. A derogation provides that enterprises and organisations with fewer than 250 employees do not have to keep these record, provided that certain conditions are fulfilled. Notably, there is an exception if the processing is likely to result in “risk” to the rights and freedoms of data subjects.
The present proposal was created to simplify and clarify the derogation by making the record-keeping mandatory only when the processing activities are likely to result in a “high risk” to the rights and freedoms of data subjects. The proposal would also broaden the scope of the derogation to include enterprises and organisations with fewer than 750 employees.
Further support to SMCs
Under Article 40 of the GDPR, associations and other bodies representing categories of controllers or processors are encouraged to draw up codes of conduct, taking into account the specific features of the various processing sectors and the specific needs of small and medium-sized enterprises (SMEs). The proposal would extend the scope of this provision to small mid-cap enterprises (SMCs), so their needs are considered when codes of conduct are drawn.
Under Article 42 of the GDPR, the Member States, data protection supervisory authorities, the European Data Protection Board and the Commission should encourage the establishment of data protection certification mechanisms and data-protection seals and marks by certification bodies, and the needs of SMEs should be taken into account. The proposal would extend the scope of this provision to SMCs, so that their needs are also considered when certifications are issued.
Definition of SMCs
The Commission determined that uniform rules applicable to all large enterprises are often too burdensome, disproportionate or a hindrance to the competitive development of enterprises expanding out of the SME segment. The new category of SMCs is made up of enterprises that are not SMEs according to Recommendation 2003/361/EC, employ fewer than 750 people and have an annual turnover not exceeding EUR 150 million or an annual balance sheet total not exceeding EUR 129 million.
What’s next?
The next Omnibus package, tentatively scheduled for June 2025, will focus on defence, and aim at helping investment in the sector and allowing innovative companies to flourish. This will be followed by an Omnibus for the Chemical Industry and a Digital package.
The full text of the proposed GDPR simplification is available here. The Commission recommendation on the definition of SMCs is available here, with the accompanying annex available here.
For more information on how this GDPR simplification may impact your business, contact your CMS client partner or these CMS experts.
This article was co-authored by János Bálint.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.