/>iOn May 21, 2025, the European Commission published a proposal for a new regulation simplifying certain regulatory requirements for “small mid-cap enterprises” (the “Simplification Regulation Proposal”). Small mid-caps will be companies with fewer than 750 employees and either up to €150 million in turnover or up to €129 million in balance sheet.
As part of its simplification efforts, the European Commission proposes amending the EU General Data Protection Regulation (“GDPR”) by extending the derogation from the obligation to maintain records of processing activities (Article 30(5) of the GDPR) to small mid-caps. The current version of the derogation is only applicable to companies employing fewer than 250 persons.
The amended derogation would apply unless an organization carries out processing activities that are likely to result in a high risk to the rights and freedoms of individuals, expanding the current formulation. In this context, the European Commission proposes clarifying that the processing of special categories of personal data which is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the individual in the field of employment and social security and social protection law will not impact the derogation under Article 30(5) of the GDPR.
In addition, the Simplification Regulation Proposal also proposes amending the GDPR to require that the needs of small mid-caps be specifically considered when drafting GDPR codes of conduct, certification mechanisms, seals, and marks.
The Simplification Regulation Proposal will now be subject to the EU’s legislative procedure and may be further amended by the European Parliament or the Council.
Read the Simplification Regulation Proposal.
