27 Jun Omnibus IV Explained: A New Push to Simplify EU Data Protection Rules

Authors: Kate Francis, Davide Baldini, Laura Senatore, Lorenzo Covello

 

 

Background

On 21 May 2025, the European Commission published a Proposal for a Regulation[1] amending several existing Regulations,[2] including Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”).[3] The aim of the Proposal is to extend certain mitigating measures currently available to small and medium sized enterprises (“SMEs”) to Small Mid-Cap companies (“SMCs”) and to introduce additional simplification measures. The proposed reform, known as the Simplification Omnibus IV, was introduced following the publication of the European Commission’s Competitive Compass,[4] the Draghi report on European competitiveness,[5] and Enrico Letta’s “Much more than a market” report.[6] It is part of a wider strategy of the Commission announced in its February 2025 Work Programme[7] and follows the Simplification Omnibus I and II proposals on sustainability and investments[8] and Omnibus III on agricultural policy.[9]

The aim of the Simplification Omnibus IV is that of reducing administrative burdens and fostering economic competitiveness, long-term growth, and innovation. Specifically, the Commission aims to reduce compliance costs, improve clarity in regulations, and provide for opportunity for growth for SMEs and SMCs.[10] Under the current European regulatory framework, SMCs are subject to the same compliance obligations as large companies. With the Proposal, the Commission has acknowledged that such companies may face an unproportionate administrative burden and necessitate specific policy support in this regard.

 

Proposed amendments to the GDPR

The Proposal contains the following proposed amendments to the GDPR:

1. 1. 1. 1. Article 4 GDPR would be amended to include new definitions of ‘micro, small, and medium-sized enterprises’ and ‘small mid-cap enterprises’;
         2. Record-keeping obligations under Article 30 would be amended to broaden the scope of the derogation currently provided under Article 30(5) GDPR to also include SMCs and organizations with fewer than 750 employees;
         3. Articles 40 and 42 GDPR, concerning codes of conduct and certification mechanisms respectively, would be amended to reference SMCs

 

Article 4 GDPR – Definitions

The Proposal provides for an amendment to Article 4 GDPR (definitions), and would add two new definitions to the GDPR, one for micro and SMEs, and one for SMCs:

• • • • “(27) ‘micro, small, and medium-sized enterprises’ means enterprises as defined in Article 2 of the Annex to Commission Recommendation 2003/361/EC”;[11]
      • “(28) ‘small mid-cap enterprises’ means enterprises as defined in point (2) of the Annex to Commission Recommendation of 21.5.2025 on the definition of small mid-cap enterprises – C(2025) 3500 final”.[12]

The Annex to the Commission Recommendation of 21 May 2025 on the definition of small mid-cap enterprises states that SMCs are enterprises which are not SMEs “in accordance with Recommendation 2003/361/EC, employ fewer than 750 persons and have an annual turnover not exceeding EUR 150 million or an annual balance sheet total not exceeding EUR 129 million.” In order to calculate staff headcount and financial amounts to determine if an organization qualifies as a SMC, reference should be made to the aforementioned Recommendation which contains relevant definitions.

It must be noted, in any case, that the threshold for qualifying as a SMC appears to include “linked enterprises”, i.e., other companies belonging to the same group. This means that in order for a company which is part of a group to qualify as a SMC, the group itself would need to qualify as a SMC.[13]

 

Article 30 GDPR – Record of Processing Activities

Of particular interest, the Proposal would simplify and clarify the derogation to the requirement to maintain a Record of Processing Activities (“RoPA”) for SMCs. Currently, Article 30(5) GDPR exempts organizations with fewer than 250 employees from the obligation to maintain a RoPA unless (i) the processing carried out by the organization is likely to impact the rights and freedoms of individuals, (ii) the processing is not occasional, and (iii) the processing includes special categories of personal data under Article 9(1) GDPR or relates to criminal convictions under Article 10 GDPR.

The Proposal would amend Article 30, paragraph 5 GDPR to extend such an exception to companies and organizations with fewer than 750 employees, under the condition that the processing carried out by the organization is not likely to “result in a high risk to the rights and freedoms of data subjects, within the meaning of Article 35 [GDPR]”.  Recitals 9 and 11 of the Proposal clarify that SMCs are exempted from such obligation and that “the processing of special categories of personal data in accordance with Article 9(2)(b) does not, as such, trigger the obligation to maintain records of processing.”[14]

 

Articles 40 and 42 GDPR

Article 40 GDPR on codes of conduct and Article 42 GDPR on certification currently only make reference to the Member States, supervisory authorities, the Board and the Commission encouraging the establishment of such mechanisms, taking into consideration the needs of “micro, small and medium-sized enterprises”. The proposed changes to these articles would extend the scope of these provisions to SMCs so as to ensure that their unique needs are considered when drawing up codes of conduct and when issuing certifications.

 

Conclusion

With Omnibus IV, the European Commission is aiming to simplify the data protection landscape to increase European economic competitiveness.  It remains to be seen how these proposed amendments will be received by the European Parliament and the Council. Nevertheless, it signals growing awareness of the compliance burdens faced by businesses and in particular, SMEs and SMCs.

If adopted, the proposed changes could ease regulatory pressure on SMCs, potentially allowing them to reallocate resources from compliance to innovation, growth, and international expansion. The extension of the RoPA exemption threshold, if interpreted and applied consistently, would represent a significant practical shift for some mid-sized companies.

 

Key operational takeaway

As the Proposal moves through the legislative process, businesses should closely monitor updates and implementation timelines to anticipate necessary adjustments in case they are caught in the scope of application of the Proposal.

 

 

 

[1] Proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) 2016/679, (EU) 2016/1036, (EU) 2016/1037, (EU) 2017/1129, (EU) 2023/1542 and (EU) 2024/573 as regards the extension of certain mitigating measures available for small and medium sized enterprises to small mid-cap enterprises and further simplification measures, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52025PC0501R%2801%29

[2] The Omnibus simplification “introduces targeted amendments to the following eight legislative acts:

• General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679
• Regulation on protection against dumped imports – Regulation (EU) 2016/1036
• Regulation on protection against subsidised imports – Regulation (EU) 2016/1037
• Markets in financial instruments Directive – Directive (EU) 2014/65
• Prospectus Regulation – Regulation (EU) 2017/1129
• Batteries Regulation – Regulation (EU) 2023/1542
• Critical entities resilience Directive – Directive (EU) 2022/2557
• Fluorinated greenhouse gas Regulation – Regulation (EU) 2024/573”.

See European Commission, Questions and answers on simplification omnibus IV, 21 May 2025, https://ec.europa.eu/commission/presscorner/detail/en/qanda_25_1278

[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

[4] European Commission, An EU Compass to regain competitiveness and secure sustainable prosperity, 29 January 2025, https://ec.europa.eu/commission/presscorner/detail/en/ip_25_339

[5] European Commission, The Draghi report on EU competitiveness, https://commission.europa.eu/topics/eu-competitiveness/draghi-report_en#paragraph_47059

[6] Enrico Letta, Much More than a Market, April 2024, https://www.consilium.europa.eu/media/ny3j24sm/much-more-than-a-market-report-by-enrico-letta.pdf

[7] European Commission, Questions and answers on simplification omnibus IV, 21 May 2025, https://ec.europa.eu/commission/presscorner/detail/en/qanda_25_1278

[8] See European Commission, Commission proposes to cut red tape and simplify business environment, 26 February 2025, https://commission.europa.eu/news-and-media/news/commission-proposes-cut-red-tape-and-simplify-business-environment-2025-02-26_en

[9] European Commission, 2025 CAP simplification and competitiveness package, https://agriculture.ec.europa.eu/overview-vision-agriculture-food/eu-actions-address-farmers-concerns_en#ref-2025-cap-simplification-and-competitiveness-package

[10] European Commission, Simplifying the Single Market, https://single-market-economy.ec.europa.eu/single-market/simplification_en

[11] Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36, ELI: http://data.europa.eu/eli/reco/2003/361/oj).

[12] Commission Recommendation of 21.5.2025 on the definition of small mid-cap enterprises – C(2025) 3500 final.

[13] See the definition of “linked enterprises” https://single-market-economy.ec.europa.eu/document/download/58fb9167-2598-4d53-8478-43b5b68b2b6f_en?filename=Recommendation%20-%20Small%20mid-caps%20%28Annex%29.pdf

[14] Proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) 2016/679, (EU) 2016/1036, (EU) 2016/1037, (EU) 2017/1129, (EU) 2023/1542 and (EU) 2024/573 as regards the extension of certain mitigating measures available for small and medium sized enterprises to small mid-cap enterprises and further simplification measures, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52025PC0501R%2801%29

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52025PC0501R%2801%29.

Recital 9 of the Proposal states that “In order to reflect the above, it is necessary to amend Article 30(5) of Regulation (EU) 2016/679, by extending the scope of the derogation from the record-keeping obligation to SMCs and organisations with fewer than 750 employees to allow also them to profit from that derogation and by providing that the derogation applies unless the processing is likely to result in a ‘high risk’ to data subjects’ rights and freedoms, within the meaning of Article 35 of Regulation (EU) 2016/679. In particular the processing of personal data referred to in paragraph 3 of that provision should be considered as requiring the data controller or the processor to maintain records of its processing activities.”

Recital 11 states that: “Furthermore, in order to extend to SMCs, the provisions that are available for micro, small and medium-sized enterprises under Regulation (EU) 2016/679, the following articles should also be amended:

Article 4, which contains the definitions applicable for the purpose of Regulation (EU) 2016/679. For reasons of clarity, definitions should be added for micro, small and medium-sized enterprises, and for small mid-cap enterprises. For small and medium-sized enterprises, it is appropriate to follow the choice of the co-legislator as expressed in recital (13) of the preamble to Regulation (EU) 2016/679. For SMCs, reference should be made to point 2 of Commission Recommendation 2025/EC/XXX of XX May 2025”. 9(2)(b) GDPR refers to the processing “for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law”.