The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have issued a joint opinion in response to the European Commission’s proposal to simplify certain obligations under the EU GDPR (the Proposal).
A key element of the Proposal is a revision to Article 30(5), which governs record-keeping obligations for small and medium sized enterprises (SMEs) and newly defined small mid-cap enterprises (SMCs). In short, the EU is looking to cut the amount of data protection regulation on small(er) businesses.
In this blog, we will look at the Proposal and how it might affect companies operating in the EU.
The Commission’s Proposal
The Proposal seeks to provide a more coherent regulatory approach for SMCs – companies that have outgrown the SME thresholds but are not yet classified as large enterprises.
By extending certain SME-specific mitigations (such as those in the EU GDPR) to include SMCs, the Proposal aims to reduce compliance burdens and facilitate growth by avoiding overly broad application of rules designed for much larger organisations.
As part of its Omnibus IV legislative package, the European Commission proposed the following key amendments to the GDPR:
- Introduction of definitions for SMEs and SMCs within the EU GDPR itself, codifying the two categories.
- Extension of the Article 30(5) derogation from the obligation to maintain “records of processing activities” to organisations with fewer than 750 employees (extending the current exemption for organisations with less than 250 employees), provided that their processing is not likely to result in a high risk to data subjects (upgraded from the current “risk”).
- Explicit inclusion of SMCs within EU GDPR obligations on Governments to develop or produce codes of conduct and certification schemes, potentially expanding member state level regulation of organisations that qualify as SMCs.
What the EDPB & EDPS say: key highlights
The Commission formally requested the opinion of the EDPB and EDPS on the Commission’s Proposal.
The EDPB and EDPS expressed broad support for the Proposal’s measures to simplify the EU GDPR.
However, the EDPB and EDPS emphasised that such changes must not compromise data protection principles or the rights of individuals under the EU GDPR.
The EDPB and EDPS also requested further justification and supporting evidence, including a more detailed assessment of Proposal’s impact on fundamental rights and on the overall effectiveness of the EU GDPR framework.
Support for reducing administrative burden
The EDPB and EDPS welcome the objective of reducing administrative burdens for SMEs and SMCs, especially where processing activities are low risk. However, they stress that any simplification must remain proportionate, necessary and consistent with Article 8 of the Charter of Fundamental Rights of the European Union, which guarantees the right to the protection of personal data.
They specifically call for a formal assessment of how extending the exemption from the EU GDPR requirement to maintain “records of processing activities” to SMCs could impact individuals’ rights – an assessment which the EDPB and EDPS noted was not submitted alongside the Proposal.
Limited and targeted scope
The EDPB and EDPS acknowledge that the proposed change to Article 30(5) represented a targeted and limited change to the EU GDPR. Therefore, the Proposal did not significantly affect the EU GDPR’s key principles or other obligations such as transparency, lawful basis or the obligation to carry out data protection impact assessments (DPIA).
The EDPB and EDPS also stressed that accountability remains a cornerstone of GDPR. Even where formal record-keeping may no longer be legally required, SMEs and SMCs are still encouraged to adopt proportionate and practical measures (e.g. simplified registers or internal templates) to demonstrate ongoing compliance.
Clarify risk-based record‑keeping
The Proposal ties the obligation to maintain records of processing under Article 30 to a risk-based threshold: records would only be required where processing is likely to result in a high risk to data subjects, the same standard used for DPIAs under Article 35 GDPR.
It is to be noted that this carve out currently applies to organisations with less than 250 employees. But the current wording in Article 30(5) states that an organisation with less than 250 employees cannot rely on the exemption if the processing is likely to result in a ‘risk’ – not just a ‘high risk.’
The EDPB and EDPS noted that this change is likely to be more impactful than simply raising the 250 threshold to 750, because most businesses of any size will process data that may result in a ‘risk’ to data subjects.
Moreover, the Proposal seeks to add wording to the EU GDPR which would clarify that a record of processing activity would not be required where personal data is being processed for the purpose of employment, social security and social protection. This would mean that the major source of high-risk personal data processed by businesses (special category personal data about their employees) would not itself trigger an obligation to maintain records of processing activities.
The EDPB and EDPS stressed that this further addition should be curtailed to make clear that some activities in this field could still require high risk processing, such as systematic monitoring of employees.
Clarifications as to definitions and scope
The joint opinion also calls for improved clarity in how the new definitions of SMEs and SMCs are applied within Article 30(5), rather than relying on broader or undefined enterprise categories. Additionally, the EDPB and EDPS recommend that public authorities and bodies be explicitly excluded from the derogation to avoid confusion.
They further question why the Commission selected the ‘fewer than 750 persons’ threshold as the eligibility cut-off for the record-keeping exemption under the GDPR and request a clear policy rationale.
Additional points on codes and certification
The extension of Articles 40 and 42 (which deal with the development and maintenance of codes of conduct and certification schemes, respectively) to SMCs is welcomed as it gives SMEs and SMCs access to sector-specific codes of conduct and certification schemes.
These mechanisms can support lighter-touch, but still effective approaches to compliance, especially for mid-sized entities navigating cross-border data protection responsibilities.
The EDPB and EDPS encourage continued development of such frameworks with the unique needs of SMC in mind.
What does this mean for organisations?
SMEs & SMCs: Flexible record-keeping (with preparation)
If adopted, the Proposal would relax formal record-keeping obligations under Article 30 GDPR for SMEs and SMCs, meaning they would no longer be automatically required to document all processing activities, provided no high-risk processing takes place.
The vast majority of businesses operating in the EU would therefore be exempted from a significant obligation under the EU GDPR.
However, organisations must still assess each processing activity to determine risk. Where processing is likely to result in a high risk (for example large-scale profiling, biometric or criminal data), the obligation to maintain records and carry out a DPIA remains.
Organisations should also ensure their internal policies reflect the new definitions of SMC, which include not only employee count but also turnover and balance sheet thresholds.
Public bodies would remain excluded from the derogation and this distinction should be factored into internal assessments of applicability.
Codes of conduct & certification schemes
The proposed inclusion of SMCs in GDPR’s codes of conduct and certification mechanisms offers an opportunity for these organisations to adopt more tailored, efficient ways of demonstrating compliance. Sector-specific frameworks could provide practical tools that align with their scale and resource levels.
Accountability remains
Even if formal record-keeping obligations are lifted, SMEs and SMCs are encouraged to maintain alternative forms of audit trails, such as simplified records, documentation templates or automated logs.
These tools support the EU GDPR’s accountability principle and facilitate oversight and the EDPS and EDPB view these internal tools as important in upholding the principles of the GDPR even where formal obligations are reduced.
Conclusion
The joint EDPB–EDPS opinion reflects a cautious but constructive endorsement of the Proposal to simplify GDPR obligations for SMEs and SMCs. The regulators recognise the value in reducing unnecessary compliance burdens, provided that simplifications do not weaken fundamental data protection rights.
However, the EDPB and EDPS’ requests for clearer definitions, the explicit exclusion of public bodies and a robust assessment of the Proposal’s rights impact suggests that further refinements are expected before the Proposal is finalised.
Reform to the EU GDPR follows closely with the reforms to the UK GDPR. Certainly within Europe, there is a cross border trend to lighten data protection regulation where possible – in order to focus (and more heavily regulate) areas of specific concern, such as AI or the online safety.
Organisations should monitor developments closely, begin reviewing their processing risk profiles and prepare to adapt internal compliance frameworks in line with the finalised provisions of the reforms to the EU GDPR (and UK GDPR).
At EM Law, we advise clients on EU GDPR compliance, data protection strategies, and regulatory developments affecting SMEs and mid-sized businesses. If you have any questions about the proposed EU GDPR simplifications, whether your organisation qualifies as an SME or SMC, or how best to prepare for evolving record‑keeping obligations, please don’t hesitate to contact us here.
