On May 21, 2025, the European Commission adopted a new proposal aimed at simplifying compliance with the General Data Protection Regulation (GDPR) for small mid-cap companies (SMCs). The initiative intends to extend the derogations currently applicable to small and medium-sized enterprises (SMEs) to SMCs while maintaining the protection of individuals’ personal data.

This proposal follows a joint opinion from the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), issued on May 8, 2025, which expressed support for the Commission’s GDPR simplification initiative, while emphasizing that it would not exempt data controllers and data processors from their other obligations under GDPR.

Proposed changes of GDPR introduced by the European Commission

Article 30(5) of the GDPR introduces an exemption from the obligation to maintain records of processing activities (ROPAs) for organizations with fewer than 250 employees, except if the data processing is likely to result in a risk to the rights and freedoms of data subjects, is not occasional, or involves special categories of data or criminal convictions and offences data. The Commission proposes to broaden this exemption to include SMCs and organizations with fewer than 750 employees.

Under the revised proposal, these organizations will only be required to maintain ROPAs if the processing is likely to pose high risks to the rights and freedoms of data subjects as defined in Article 35 of the GDPR.

Notably, references to non-occasional data processing (e.g. payroll, customer and supplier management) and the systematic processing of sensitive data (e.g. health data, criminal records) have been removed from the current proposal. The Commission also clarifies that processing of sensitive data for purposes related to employment, social security, and social protection under Article 9(2)(b) of the GDPR does not in itself trigger the requirement to maintain a ROPA.

Additionally, the proposal foresees the revision of Articles 40 and 42 of the GDPR, to explicitly take into account the SMCs specific needs, both when sector-specific codes of conduct are drawn up and when data protection certification mechanisms, seals and marks are issued.

It is important to emphasize that the proposed simplifications do not alter other GDPR obligations. This includes, in particular, the obligation to conduct Data Protection Impact Assessments (DPIAs) in accordance with Article 35 of the GDPR, notify data breaches to supervisory authorities and data subjects when required, provide transparent privacy notices to data subjects, ensure effective management of data subject rights, and appoint a Data Protection Officer (DPO) when necessary.

The new ROPA exemption: what should SMCs do?

The ROPA is one of the core accountability tools introduced by the GDPR. It marked a significant shift away from the previous prior notification regime under Directive 95/46/EC, where certain data processing operations had to be notified to data protection authorities, towards a system based on internal and proactive documentation. Under the GDPR, data controllers and data processors are required to maintain comprehensive internal records of their processing activities to demonstrate compliance and ensure transparency.

For many organizations, maintaining an accurate and up-to-date ROPA remains a demanding and resource-intensive exercise. In this context, the European Commission’s proposal to exempt certain SMCs from this obligation may offer a welcomed relief, particularly for those without a dedicated privacy team, or privacy compliance tools.

While the proposed simplification may reduce administrative obligations for SMCs, the ROPA plays a central role in demonstrating GDPR compliance. As emphasized by the CNIL, it can be used as a foundation of a structured compliance roadmap. It also allows organizations to log the history of personal data breaches, centralize documentation related to international data transfers (such as Standard Contractual Clauses or Binding Corporate Rules), and to the data processors involved in the data processing.

For SMCs that fall within the scope of the proposed simplification and especially those that already maintain a ROPA, it may be wise to continue doing so. This is particularly relevant when the organization carries out new processing activities, or when existing ones are likely to evolve in a way that could trigger high-risk scenarios under Article 35 of the GDPR.

Maintaining the ROPA in such cases not only supports the Data Protection Officer, where one is designated, in fulfilling their responsibilities, but also strengthens the organization’s ability to demonstrate its GDPR compliance in the event of regulatory scrutiny.

In the meantime, organizations should begin identifying whether they will fall within the scope of the new exemption regime. If so, organizations should evaluate how this change may impact their GDPR compliance program and determine whether any adjustments are appropriate or necessary.

What’s next?

The proposal must now be reviewed and adopted by both the European Parliament and the Council of the European Union before it can enter into force. If adopted, the new rules are expected to take effect in 2026.