GDPR Simplification: Exemptions Expanded for Smaller Businesses
This blog was originally posted on 22nd May, 2025. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.
AUTHORED BY ANI NOZADZE, SENIOR REGULATORY COMPLIANCE SPECIALIST AND TEAM LEAD, COMPLIANCE & RISKS
A Step Towards Simplification
In May 2025, the EU Commission adopted a Single Market Simplification proposal, aiming to reduce bureaucracy and barriers for small and medium enterprises (SMEs), and small mid-cap companies (SMCs). As part of this proposal, on 21 May 2025, the Commission introduced draft amendments to the EU General Data Protection Regulation (GDPR), among others.
The proposed changes relate to a number of GDPR provisions, including Article 30 which requires personal data controllers and processors to maintain a record of processing activities (RoPA).
Record of Processing Activities: Proposed Changes to Article 30
Currently, Article 30(5) provides for a derogation for SMEs and organisations who employ fewer than 250 people. Based on this derogation, such entities do not have to keep the RoPA, unless the processing is likely to result in a risk to the rights and freedoms of data subjects, processing is not occasional, or special categories of data or personal data relating to criminal convictions and offences are being processed.
The new proposal aims to extend the above derogation to SMCs and organisations with fewer than 750 employees. These organisations would still need to maintain RoPA if their processing of personal data can be considered as involving high risk under Article 35 of the Regulation.
For illustrative purposes, below is the current edition of Article 30(5) and the proposed wording:
| Current text | Proposed text |
| “Article 30 Records of processing activities […] 5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.” | “Article 30 Records of processing activities […] 5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 750 persons unless the processing it carries out is likely to result in a high risk to the rights and freedoms of data subjects, within the meaning of Article 35.” |
Defining SMCs
SMCs are companies that exceed the thresholds of the SME definition (enterprises with under 250 employees, combined with an annual turnover up to 50 million euro or a balance sheet total up to 43 million), but are still not considered large enterprises. The Commission is, in parallel, developing a harmonised definition of SMCs. The current proposal also adds the definitions of “micro, small and medium-sized enterprises” and “small mid-cap enterprises” to Article 4 of the GDPR.
Codes of Conduct & Certification
The draft amendment also relates to Articles 40 and 42. These provisions currently require the Member States, data protection authorities, the European Data Protection Board and the EU Commission to encourage industry associations to draw up codes of conduct, as well as establish data protection certification mechanisms, seals and marks by certification bodies or data protection authorities. In developing codes of conduct and certification mechanisms, etc., specific needs of micro, small and medium enterprises are to be taken into account. The proposal extends this from SMEs to SMCs so that their needs are taken into consideration as well.
Stay Informed on GDPR
Discussions have been ongoing in the privacy compliance community on whether companies can expect any further “simplification” of obligations under the GDPR – such as the requirement to appoint Data Protection Officers, to conduct Data Protection Impact Assessments.
Compliance & Risks will closely monitor this draft and provide updates on any developments.
Stay Ahead Of Regulatory Changes like the EU General Data Protection Regulation
Want to stay ahead of regulatory developments like the EU General Data Protection Regulation?
Accelerate your ability to achieve, maintain & expand market access for all products in global markets with C2P – your key to unlocking market access, trusted by more than 300 of the world’s leading brands.
C2P is an enterprise SaaS platform providing everything you need in one place to achieve your business objectives by proving compliance in over 195 countries.
C2P is purpose-built to be tailored to your specific needs with comprehensive capabilities that enable enterprise-wide management of regulations, standards, requirements and evidence.
Add-on packages help accelerate market access through use-case-specific solutions, global regulatory content, a global team of subject matter experts and professional services.
- Accelerate time-to-market for products
- Reduce non-compliance risks that impact your ability to meet business goals and cause reputational damage
- Enable business continuity by digitizing your compliance process and building corporate memory
- Improve efficiency and enable your team to focus on business critical initiatives rather than manual tasks
- Save time with access to Compliance & Risks’ extensive Knowledge Partner network
EU & UK Product Compliance: What’s Hot in 2025 & Beyond
Join us for expert insights into the latest developments, upcoming changes, and how to prepare for the evolving EU and UK regulatory landscape in 2025 and beyond.
