GDPR Relief for SMEs? EDPB and EDPS Weigh in on the EU’s Simplification Plans
Wednesday, July 23, 2025
Print Mail Download info_icon_img/>i

On 21 May 2025, the European Commission published a proposal for a new regulation aimed at simplifying several EU legal instruments, including targeted amendments to the General Data Protection Regulation (GDPR). The announced objective is to ease compliance obligations for small and medium-sized enterprises (SMEs) and extend certain regulatory benefits to small mid-cap companies (SMCs) (a category of businesses that often face comparable regulatory burdens to large corporations but lack equivalent resources). In the field of data protection, the proposal focuses on revising the obligation to maintain records of processing activities under Article 30 GDPR. It suggests raising the employee threshold for this obligation and clarifying that record-keeping would only be required when processing is likely to pose a high risk to individuals’ rights and freedoms.

Some may consider this reform as making a mountain out a molehill.

I. Raising the Threshold: From 250 to 750 Employees

One of the most notable changes concerns Article 30(5) GDPR, which currently exempts organizations with fewer than 250 employees from maintaining records of processing activities, provided that the processing they carry out is not likely to result in a risk to the rights and freedoms of data subjects, their processing is occasional and does not involve special categories of data (article 9 GPDPR) or data relating to criminal convictions and offences (article 10 GDPR).

The proposal raises this threshold to 750 employees, potentially enabling approximately 38,000 additional companies to benefit from the exemption. This is, however, provided their processing activities are not likely to result in a high risk to data subjects.

While the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) support reducing the compliance burden on mid-sized companies, they have requested a more detailed justification for selecting 750 employees as the threshold (particularly since earlier drafts proposed a lower threshold of 500 employees).

II. Scope of the Exemption: Definitions and Public Sector Clarification

The EDPB and EDPS have also asked for explicit clarification that public authorities and bodies are excluded from the scope of the exemption. The current draft refers broadly to “organizations” (which could be misinterpreted to include non-profit entities, or other bodies not intended to benefit from the derogation).

To prevent ambiguity, it is recommended that the recitals explicitly confirm that public sector entities remain outside the scope of the exemption. This would ensure legal certainty and avoid unintended interpretations.

III. Clarifying When Record-keeping Remains Obligatory

The proposal introduces a simplified principle: record-keeping would be required for SMC or SME’s only where processing is likely to result in a high risk to individuals’ rights and freedoms.

This aligns conceptually with Article 35 GDPR, which governs the requirement for Data Protection Impact Assessments (DPIAs). However, it remains the controller’s responsibility to assess the level of risk associated with each processing activity.

Importantly, the exemption does not mean that all SMEs and SMCs would be automatically relieved of record-keeping. Certain types of processing (such as large-scale employee monitoring or processing sensitive health data) may still qualify as high risk, regardless of organizational size.

The EDPB and EDPS further recommend clarifying that only high-risk processing activities must be recorded, rather than requiring companies to maintain records of all processing merely because one activity falls into a high-risk category.

Article 35(3) and Recitals 71, 75 and 91 provide some examples when a processing operation is “likely to result in high risks,” such examples also include the notion of “processing on a large scale.” EDPB guidelines (WP 248 on data protection impact assessment and WP 243 on Data Protection Officers (DPOs)) provide additional guidance on activities “likely to result in high risks”, and “processing on a large scale”. In addition, each European Economic Area (EEA) member state has issued a black list of activities it considers as high risk, and a white list of activities not requiring a DPIA. Importantly the first example under article 35 (3) a) “is a systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.” In the context of development of artificial intelligence (AI) tools it will be frequently required to make an assessment of whether there is a likely high risk for data subjects.

IV. “Simplified” Rules: High-risk Processing as the Sole Trigger

Under the current GDPR, even organizations with fewer than 250 employees must maintain records if their processing is one of the following: likely to result in a risk, not occasional, involves special category data or relates to criminal matters.

The new proposal replaces these conditions with a single risk-based criterion: records would only be required where processing is likely to pose a high risk to data subjects.

While this appears to be a simplification that aims to reduce administrative burdens, and is consistent with a risk-based approach, the EDPB and EDPS caution that it could inadvertently weaken data protection if organizations fail to conduct robust risk assessments. In fact, this criterion may potentially be more complex for organizations than the existing criteria, which is somewhat more straightforward. Indeed, determining what constitutes an operation “likely to result in high risks” for the rights and freedoms of individuals requires already a certain level of GDPR awareness and sophistication.

Depending on the nature and scope of processing (such as systematic monitoring or large-scale data collection), record-keeping may still be necessary to demonstrate accountability.

 Moreover, while the formal record keeping obligations are time consuming and, let’s be frank, a bit unpleasant, they are nevertheless a logical outcome of a data mapping exercise that remains necessary for ensuring GDPR compliance. In addition, the EDPB and EDPS emphasize that maintaining voluntary, proportionate records remains a recommended good practice. Even simplified documentation can be a valuable tool for demonstrating compliance and ensuring structured data governance.

V. Including SMCs in Codes of Conduct and Certification

The proposal also amends Articles 40(1) and 42(1) GDPR to explicitly include SMCs in the development of codes of conduct and certification schemes.

This change ensures that the specific compliance challenges of mid-sized enterprises are considered when creating practical tools and sectoral standards. It aligns with the EDPB’s 2024–2027 strategy (which promotes such instruments to foster regulatory certainty, reduce compliance burdens, and cultivate a culture of accountability).

Inclusion in these initiatives would allow SMCs to demonstrate good data governance and build trust with stakeholders (without being subject to the full administrative requirements that apply to larger organizations).

Next Steps

The proposal is currently under review by the European Parliament and the Council of the EU. No official adoption date has been announced, and it remains unclear whether a transitional period will be granted once the final regulation enters into force.

Key Takeaways

  • The employee threshold for record-keeping exemptions would rise from 250 to 750 employees (potentially benefitting ~38,000 additional companies).
  • Public authorities would remain excluded from the exemption (but this must be clarified explicitly).
  • High-risk processing will be the trigger for mandatory record-keeping and organization will need to understand what kind of activities fall under this definition
  • SMCs would gain greater involvement in codes of conduct and certification schemes.
  • Voluntary record-keeping remains a recommended best practice for demonstrating accountability. 

Elena Zavala contributed to this article

© Copyright 2025 Squire Patton Boggs (US) LLP

Current Public Notices

Post Your Public Notice Today!

PUBLIC NOTICE OF RECEIVERSHIP SALE: ENTEGRA CAPITAL LLC AND EC MASTER TRUST
Published: 23 July, 2025
PUBLIC NOTICE OF ASSET SALE: SERFACE CARE, INC. D/B/A MYRO
Published: 21 July, 2025
PUBLIC NOTICE OF UCC SALE: Harrisburg Hotel LLC
Published: 21 July, 2025
PUBLIC NOTICE OF UCC SALE: GLP 2206 LLC
Published: 18 July, 2025
PUBLIC NOTICE OF UCC SALE: Broad St Ventures Urban Renewal, LLC
Published: 10 July, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: CCP Mezzanine Nashville I, LLC
Published: 7 July, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Chenango Flats LLC
Published: 7 July, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Integrated Endoscopy, Inc.
Published: 1 July, 2025
PUBLIC NOTICE OF ASSIGNMENT: Common Cents Distributors, LLC
Published: 26 June, 2025
PUBLIC NOTICE OF UCC SALE: Hudson 1702, LLC
Published: 24 June, 2025
PUBLIC NOTICE OF INTELLECTUAL PROPERTY SALE: American Energy Storage Innovations Inc.
Published: 24 June, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Chesterfield Faring, LTD
Published: 24 June, 2025
PUBLIC NOTICE OF ASSIGNEE SALE: Quadrata, Inc.
Published: 23 June, 2025
Discover more public notices

Current Legal Analysis

More from Squire Patton Boggs (US) LLP

NYC Incorporates and Enhances NYS Paid Prenatal Leave Requirements (US)
by: Scott G. Held
The Second Half of the Year Brings New State Privacy Obligations – Are You Ready?
by: Alan L. Friel , Julia B. Jacobson
Connecticut’s Recent Privacy Settlement Shows that Organizations Should Remain Cognizant of Privacy Law Obligations Outside of California
by: Kyle R. Fath , Alan L. Friel
Sport On Steroids: Walking the Ethical and Legal Tightrope of the Enhanced Games
by: Henry Goldschmidt
Texas Legislature Amends Data Broker Law to Broaden Definition, Arguably Narrow Applicability Thresholds
by: Kyle R. Fath
Update on Germany’s Transposition of the CSRD
by: Andreas Fillmann
Approved NCAA v. House Settlement Leaves Open Ended Legal Questions
by: Jose Martin , Sarah K. Rathke
UK Regulator Publishes Update on Dynamic Pricing Project and “Top Tips” for Businesses Using Dynamic Pricing
by: Carlton Daniel , Paul Jinks
Issuance of the 2025 Chemicals Package
by: Thomas Delille , Gerard McElwee
All Roads Lead to Rome at the USPTO
by: Victoria Q. Smith , Frank L. Bernstein
EU Launches Call for Evidence on Revision of Combustion Engine and Vehicle Emissions Regulations
by: Thomas Delille , Valerio Giovannini
Better Late Than Never? The Financial Conduct Authority (FCA) Continues Its Crackdown on Non-financial Misconduct in Financial Services
by: David Whincup , Janette Lucas
Amendments to Green Deal Legislative Files
by: Thomas Delille , Valerio Giovannini

Upcoming Events

 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up for any (or all) of our 25+ Newsletters.

 

Sign Up for any (or all) of our 25+ Newsletters