GDPR Simplification: Exemptions Expanded for Smaller Businesses

This blog was originally posted on 22nd May 2025, and was updated on 14th October 2025. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.
AUTHORED BY ANI NOZADZE, SENIOR REGULATORY COMPLIANCE SPECIALIST AND TEAM LEAD, COMPLIANCE & RISKS
A Step Towards Simplification
In May 2025, the EU Commission adopted a Single Market Simplification proposal, aiming to reduce bureaucracy and barriers for small and medium enterprises (SMEs), and small mid-cap companies (SMCs). As part of this proposal, on 21 May 2025, the Commission introduced draft amendments to the EU General Data Protection Regulation (GDPR), among others. On 26 September 2025, the EU Council’s position was made available, which proposes further changes to the Commission’s initial draft.
The proposed changes relate to a number of GDPR provisions, including Article 30 which requires personal data controllers and processors to maintain a record of processing activities (RoPA).
Record of Processing Activities: Proposed Changes to Article 30
Currently, Article 30(5) provides for a derogation for SMEs and organizations who employ fewer than 250 people. Based on this derogation, such entities do not have to keep the RoPA, unless the processing is likely to result in a risk to the rights and freedoms of data subjects, processing is not occasional, or special categories of data or personal data relating to criminal convictions and offences are being processed.
The Commission’s initial proposal aimed to extend the above derogation to SMCs and organizations with fewer than 750 employees. The EU Council’s revised proposal aims to extend the derogation to enterprises and organizations with fewer than 1000 employees. These organizations would still need to maintain RoPA if their processing of personal data can be considered as involving high risk under Article 35 of the Regulation. The Council’s proposal further clarifies that enterprises and organizations with fewer than 1000 employees that carry out high-risk processing will be required to maintain record of only those specific processing activities which are likely to result in a high risk to data subjects’ rights and freedoms.
For illustrative purposes, below is the current edition of Article 30(5), the wording from the Commission’s proposal and the wording from the EU Council’s position:
Current text | EU Commission’s initial draft (May 2025) | EU Council’s position (September 2025) |
“Article 30 Records of processing activities […] 5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organization employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.” | “Article 30 Records of processing activities […] 5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organization employing fewer than 750 persons unless the processing it carries out is likely to result in a high risk to the rights and freedoms of data subjects, within the meaning of Article 35.” | “Article 30 Records of processing activities […] 5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organization employing fewer than 1000 persons, unless and to the extent that the processing it carries out is likely to result in a high risk to the rights and freedoms of data subjects, within the meaning of Article 35.” |
Defining SMCs
SMCs are companies that exceed the thresholds of the SME definition (enterprises with under 250 employees, combined with an annual turnover up to 50 million euro or a balance sheet total up to 43 million), but are still not considered large enterprises. The EU Commission, on 28 May 2025, published Recommendation (EU) 2025/1099 defining small mid-cap enterprises. The Commission’s draft amendments to the GDPR also included the addition of “micro, small and medium-sized enterprises” and “small mid-cap enterprises” to Article 4. The EU Council’s revised proposal revises the definition of “small mid-cap enterprises”, defining it as enterprises which are not micro, small and medium-sized enterprises, that employ fewer than 1000 persons and either have an annual turnover of not more than EUR 200 million or an annual balance sheet total of not more than EUR 172 million.
Codes of Conduct & Certification
The draft amendment also relates to Articles 40 and 42. These provisions currently require the Member States, data protection authorities, the European Data Protection Board and the EU Commission to encourage industry associations to draw up codes of conduct, as well as establish data protection certification mechanisms, seals and marks by certification bodies or data protection authorities. In developing codes of conduct and certification mechanisms, etc., specific needs of micro, small and medium enterprises are to be taken into account. The proposal extends this from SMEs to SMCs so that their needs are taken into consideration as well.
Stay Informed on GDPR
Discussions have been ongoing in the privacy compliance community on whether companies can expect any further “simplification” of obligations under the GDPR – such as the requirement to appoint Data Protection Officers, to conduct Data Protection Impact Assessments.
Compliance & Risks is closely monitoring this draft and we will provide updates on any further developments.
Stay Ahead Of Regulatory Changes like the EU General Data Protection Regulation
Want to stay ahead of regulatory developments like the EU General Data Protection Regulation?
Accelerate your ability to achieve, maintain & expand market access for all products in global markets with C2P – your key to unlocking market access, trusted by more than 300 of the world’s leading brands.
C2P is an enterprise SaaS platform providing everything you need in one place to achieve your business objectives by proving compliance in over 195 countries.
C2P is purpose-built to be tailored to your specific needs with comprehensive capabilities that enable enterprise-wide management of regulations, standards, requirements and evidence.
Add-on packages help accelerate market access through use-case-specific solutions, global regulatory content, a global team of subject matter experts and professional services.
- Accelerate time-to-market for products
- Reduce non-compliance risks that impact your ability to meet business goals and cause reputational damage
- Enable business continuity by digitizing your compliance process and building corporate memory
- Improve efficiency and enable your team to focus on business critical initiatives rather than manual tasks
- Save time with access to Compliance & Risks’ extensive Knowledge Partner network
Emerging Human Rights Due Diligence Regulations Across the Globe
Delve into the rapidly evolving landscape of human rights due diligence (HRDD), with a practical focus on global regulatory obligations and actionable steps for companies.