On 09.07.2025, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued Joint Opinion 01/2025 (“Joint Opinion”) on the European Commission’s Proposal for a Regulation amending certain regulations, including the General Data Protection Regulation (GDPR). European Commission’s Proposal, issued on 21.05.2025, provides for the extension of a set of mitigating measures available for small and medium enterprises (SMEs) to small mid-cap enterprises (SMCs) as well as for further simplification measures (hereinafter the “Proposal”).
Overview of the proposed amendments to the GDPR
The Proposal provides for the following changes to be introduced in the GDPR:
- Introducing a definition of SMEs and SMCs into Article 4 GDPR: SMEs are defined as enterprises within the meaning of Article 2 of the Annex to Commission Recommendation 2003/361/EC, i.e. enterprises which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million. SMCs are defined as enterprises within the meaning of point (2) of the Annex to Commission Recommendation of 21 May 2025 on the definition of small mid-cap enterprises, i.e. enterprises which are not SMEs in accordance with Recommendation 2003/361/EC, employ fewer than 750 persons, and meeting specific financial criteria (annual turnover not exceeding EUR 150 million or balance sheet total not exceeding EUR 129 million.
- Broadening the scope of the derogation to the obligation to maintain a record of processing activities under Article 30(5) GDPR to include enterprises or organizations employing fewer than 750 persons: This derogation currently applies to enterprises and organizations with fewer than 250 employees, with exceptions for certain types of processing. Under the Proposal, the current record-keeping obligation for such enterprises and organizations would remain mandatory when the processing is “likely to result in a high risk to the rights and freedoms of data subjects”. Specifically, under the current regime, Article 30(5) exemption applies only to organizations employing fewer than 250 employees and where the processing is (i) “occasional,” (ii) does not include special category data, and (iii) is unlikely to pose a risk to the rights and freedoms of data subjects. The new proposal simplifies these qualifiers and lowers the threshold—eliminating the record-keeping obligations for organizations with fewer than 750employees, so long as the processing activities are not likely to result in a “high risk” to data subjects’ rights and freedoms. In essence, compared to today’s regime, the risk and company size thresholds for being exempted from the obligation to maintain a record of processing activities will be made less strict, if the proposal is adopted.
- Extending the scope of Article 40(1) and 42(1) GDPR to SMCs, so that their specific needs are also considered when codes of conduct are drawn up and in the context of certification mechanisms. These tools are currently designed to help enterprises and organizations demonstrate compliance with the GDPR focusing on the specific needs of SMEs. The Proposal aims to extend the scope of these provisions to explicitly include SMCs, ensuring that their specific needs are also taken into account when drawing up codes of conduct and establishing data protection certification mechanisms, thereby necessitating the addition of a reference to SMCs in those articles.
Opinion of EDPB and EDPS on the proposed amendments
On their Joint Opinion, the EDPB and EDPS express their support on the general objective of reducing administrative burdens for SMEs and SMCs, provided however that the protection of fundamental rights, especially data protection, should not be compromised. Thus, they emphasize the absence of a formal assessment of the impact on fundamental rights in the Proposal.
In general, the proposed amendments are described as targeted and limited, without affecting the core data protection principles and obligations under the GDPR. In relation to European Commission’s simplification efforts, the EDPB and EDPS highlight the importance of an approach based on the principles of proportionality, balancing, and necessity.
The EDPB and EDPS encourage SMEs and SMCs to benefit from the derogation and to adopt appropriate alternative methods to support GDPR compliance and avoid negative impacts on data subjects’ rights, while highlighting the ongoing efforts to provide practical resources and guidance to SMEs to facilitate compliance.
The EDPB and EDPS recommend further clarifications on:
- The rationale for selecting the 750-employee threshold, as opposed to the initially considered 500.
- The use of the term “enterprise” in the exemption, which may inadvertently include organizations not qualifying as SMEs or SMCs due to financial criteria. Specifically, the new exemption in Article 30 (5) refers to ‘enterprises employing fewer than 750 employees’ without referring to the newly introduced definitions of SME and SMC, which also includes financial criteria. To ensure that the exemption will benefit SMEs and SMCs, the EDPB and the EDPS’s Joint Opinion recommends referring to the newly introduced definitions of SME and SMC.
- The exclusion of public authorities and bodies from the scope of the derogation, to maintain accountability in the public sector.
Potential impact of the proposed amendments
The proposed amendments aim to reduce administrative burden and simplify compliance for SME’s and SMC’s with data protection requirements, so as to support competitiveness and innovation in the EU. In particular, the proposed simplification aims to reduce the administrative burden for a substantial number of enterprises, freeing up resources that can be redirected towards core business activities and innovation, helping enterprises to remain competitive. It is worth mentioning that, as highlighted in the Draghi Report on EU competitiveness, due to high GDPR compliance costs (which are estimated to reach up to EUR 500,000 for SMEs and up to EUR 10 million for large organizations) EU companies have decreased data storage by 26% and data processing by 15% in relation to comparable companies in the USA[1].
Nevertheless, while the removal of the record-keeping obligation for many SMEs and SMCs reduces compliance costs, it also places greater responsibility on enterprises and organizations to ensure that alternative methods are in place to support GDPR compliance and accountability. Additionally, the requirement to assess whether personal data processing is “likely to result in a high risk” remains; therefore, enterprises shall still assess and monitor their data processing activities and proceed to risk assessment exercise, in order to be compliant with data protection requirements.
In closing, the amendments made to the GDPR, which seek to make it more flexible and improve efficiency at companies without weakening the protection of personal data, should be welcomed and encouraged. It remains to see, following the enactment of the amendments, how the businesses will react to changes and how those can be implemented in practice.
[1] “The future of European competitiveness”, Part B, In-depth analysis and recommendations, p. 319.
