On 21 May 2025, the European Commission published its Omnibus IV Simplification Package. The package aims to simplify rules in the single market, and reduce bureaucracy, making it easier for businesses to operate, innovate and grow, while maintaining high standards of protection for consumers and the environment. The EC anticipates its proposals will cut €400m from annual administrative costs for businesses with smaller companies poised to benefit most significantly.
Small-mid cap companies
To ease the administrative burden on growing businesses, the Commission proposes inserting a new category of "small mid-cap enterprises" (SMCs) into certain legislation which already makes compliance exceptions for SMEs. Currently, businesses face a sudden jump in compliance requirements when they outgrow the existing micro, small and medium-sized enterprise (SME) classification. The Commission is concerned this creates a "cliff edge" which may discourage growth and competitiveness.
SMEs are companies with fewer than 250 employees, and either turnover up to EUR5 million or balance sheet up to EUR43 million. SMCs will be companies with fewer than 750 employees, and either turnover up to EUR150 million or total assets up to EUR129 million
The Commission estimates approximately 38,000 EU companies qualify as SMCs under this classification.
Impact on the GDPR
The category of SMC will be deployed (among other things) to reduce the compliance burden of the GDPR.
The main GDPR target in Omnibus IV proposed in the Regulation to amend the GDPR and other legislation (referred to here as Omnibus IV for ease) is Article 30(5) which provides a derogation from the obligation on controllers and processors to maintain records of processing for organisations and enterprises of under 250 people except where the processing is likely to result in a high risk to the rights and freedoms of individuals, the processing includes special category data or personal data relating to criminal convictions and offences, or the processing is not occasional.
The Omnibus IV proposal would essentially extend the derogation to apply to enterprises and organisations with fewer than 750 employees (without the turnover/asset criteria needing to apply).In addition, it would broaden the scope of the derogation to the effect that it would apply unless the processing is likely to result in a high risk to data subjects as set out in Article 35 (which deals with when Data Protection Impact Assessments are required).Article 35 requires organisations to carry out DPIAs where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, taking into account where new technologies are being used and the nature, scope, context and purpose of the processing.
This proposed change would mean that processing special category data would not automatically prevent an enterprise from taking advantage of the Article 30(5) derogation, although, of course, the nature of the data might take it within the exception to being able to rely on it, even where size criteria are met if the processing is high risk.
In addition, Omnibus IV proposes introducing definitions of SMEs and SMCs into the GDPR, and:
- Amending Article 40 GDPR so that bodies drawing up codes of conduct would be required to consider the specific needs of SMCs as well as of SMEs
- Amending Article 42 GDPR so that the specific needs of SMCs as well as of SMEs are considered in relation to data protection certifications.
It's worth mentioning that the EC is also planning a Digital Omnibus which will look at simplifying the data acquis (among other things), but it is not currently expected to impact the GDPR.
EDPB and EDPS joint Opinion on the proposals
Given that the Omnibus IV proposal aims to amend the GDPR, the EDPB and EDPS were consulted and they published a joint Opinion on the proposals on 9 July 2025.
The Opinion makes a number of sensible points around drafting and consistency including:
- questioning why the re-framed Article 30(5) derogation does not refer to (what will be defined) SMEs and SMCs, but to "enterprises" and "organisations" with fewer than 750 employees
- recommending clarifying in the Recitals, that a record of processing will only be mandatory for those benefitting from the exemption in relation to processing activities which are likely to be high risk. There will be no requirement to keep a record of all processing activities simply because one set is likely to result in a high risk.
However, beyond clarification points, the EDPB and EDPS also have a number of policy concerns.
- They query why the Commission has fixed on the derogation applying to enterprises and organisations of fewer than 750 employees. They note that in some Member States, very few controllers and processors would reach that threshold and ask why the originally proposed threshold of 500 was deemed to be too low.
- They recommend clarifying that the proposed derogation should not apply to public authorities and bodies. The current Article 30(5) refers both to enterprises and organisations. The EDPB and EDPS say that it does not refer to "public authorities and bodies", a term used explicitly in Article 37(1)(a) GDPR, and therefore, while the term "organisation" includes not-for-profits and charities, it should be made clear that public authorities and bodies are not included. The Opinion makes the point that the aim of the Omnibus IV amendments is to simplify particularly for competitiveness and productivity. Consequently, Article 30(5) should explicitly exclude public authorities and bodies. Moreover, the Opinion suggests that it would be in contradiction of the special role accorded to public authorities and bodies under the GDPR to include them within the exemption.
- More significantly, while supporting the general objective of reducing the administrative burden of GDPR compliance for SMEs and SMCs (provided that does not lower the protection of the fundamental rights of individuals), they suggest Article 30 may not be an obvious target for reform. They point out that in many cases the record of processing is a means for controllers and processors to demonstrate accountability and to aid compliance with a wide range of GDPR obligations. By providing a comprehensive overview of data processing activities, the processing record can help with, for example, risk assessment, giving effect to data subject rights, assisting DPOs, helping understand the use of new technologies, documenting breaches, and data security. There is also the issue as to how many businesses will realistically benefit from the proposals – many of the 38,000 enterprises potentially being brought into scope, will still have to carry out an exercise to determine whether or not their processing is high risk and may then have to comply with Article 30 requirements if they conclude the exemption does not apply to their processing activities.
What does this mean for you?
It is worth stressing that these changes will apply to the EU GDPR but not to the UK GDPR and clearly these proposals will only impact EU enterprises or organisations of under 750 employees.As the Opinion points out, while for the Article 30(5) derogation, only number of personnel is relevant, the (arguably less significant) changes to Articles 40 and 42 apply to SMCs – ie where turnover and total assets are also relevant.This may well change by the time the Omnibus IV proposal becomes law and we'd expect other inconsistencies to be ironed out during the legislative process.
The most significant change may not be to do with the organisation's size.Enterprises and organisations with fewer than 250 employees which may currently be out of scope of the derogation, for example because they process special category data, may now find themselves within it once Omnibus IV is passed, because their processing of that data does not pose a high risk to individuals.They are, however, still likely to have to carry out a DPIA to determine that.
The changes could ultimately also impact public authorities and bodies which may currently presume themselves to be within the scope of the derogation (although the EDPB and EDPS appear to suggest that they never have been).They may find themselves explicitly excluded if the recommendation in the Opinion is followed through.
Even if the changes impact the full 38,000 companies cited by the Commission, the real question is how much difference the changes will actually make to the overall GDPR compliance burden. As the Opinion points out, records of processing can be a starting point and an anchor for GDPR compliance so it's something many enterprises and organisations are likely to maintain, whether or not they are required to do so. The changes proposed to the GDPR by Omnibus IV therefore look rather minimalist when it comes to reducing the GDPR compliance burden.
