GDPR Review – Fewer Record-Keeping Obligations for Small Mid-Cap Companies in Sight

by Trygve Karlstad and Luca Tosoni

Published:

Business man standing in front of building

As we anticipated in our last newsletter, on 21 May 2025, the European Commission issued a legislative proposal to partially amend Regulation (EU) 2016/679 (GDPR).

The amendments to the GDPR proposed by the European Commission are very limited and are exclusively intended to partially reduce the administrative burden and costs for small mid-cap companies (SMCs) – i.e. companies with fewer than 750 employees – under the GDPR. Currently, the GDPR contains measures that simplify record-keeping requirements and reduce administrative burdens for micro, small and medium-sized enterprises (SMEs), defined as companies with fewer than 250 employees. Under the new proposal, SMCs may similarly be exempted from maintaining records of processing activities (Article 30 GDPR), if their processing activities are not 'high-risk' (e.g. if they process sensitive data, but they do so only to carry out their obligations in the field of employment and social security).

In essence, the proposed changes will affect only certain small and mid-sized companies and are not aimed at modifying any of the key requirements laid down in the GDPR. However, it remains to be seen whether during the legislative process, the European Parliament and the Council will attempt to introduce further changes. 

Proposed Amendments to GDPR

Record-Keeping Obligations (Article 30 GDPR)

Under Article 30 GDPR, controllers and processors are currently required to maintain a record of their processing activities.

However, paragraph 5 of the same Article provides a derogation from such a record-keeping obligation for enterprises or organisations with fewer than 250 employees, unless their processing is likely to pose a risk to the rights and freedoms of data subjects, is not occasional, or includes sensitive data or data relating to criminal convictions and offences.

The Commission's legislative proposal aims to extend the scope of that derogation, so that all organisations with fewer than 750 employees and whose processing activities are not likely to result in a 'high risk' to the data subjects’ rights and freedoms are exempted from the record-keeping requirement set out in Article 30 GDPR. The notion of 'high risk' should be interpreted in accordance with Article 35 GDPR, and would thus cover activities, such as systematic monitoring of a publicly accessible area on a large scale, processing of sensitive data on a large scale, etc. 

In essence, compared to today's regime, the risk and company size thresholds for being exempted from the obligation to maintain a record of processing activities will be made less strict, if the proposal is adopted.

Codes of Conduct (Article 40 GDPR)

Article 40 GDPR provides that the Member States, the supervisory authorities, the European Data Protection Board (EDPB), and the European Commission are to encourage the drawing up of codes of conduct, taking the specific needs of SMEs into account. 

The Commission's proposal would modify Article 40 GDPR to add that the specific needs of SMCs should also be taken into account when drawing up codes of conduct, in addition to the needs of SMEs. In other words, the needs of bigger companies should be taken into account as well in this context.

Certifications (Article 42 GDPR)

Article 42 GDPR aims to encourage the establishment of data protection certification mechanisms, seals and marks for the purpose of demonstrating compliance with GDPR, taking into account the specific needs of SMEs.

The Commission's proposal would modify Article 42 to specify that the needs of SMCs should be taken into account as well.

Practical impact and way forward

Given the limited scope of the proposed amendments and the fact they do not concern any of the key obligations under the GDPR, the practical impact of the proposal is likely to be limited.

However, to enter into force, the proposed amendments need to be approved by the European Parliament and Council, which may propose amendments during the legislative process. Thus, it may not be excluded that further changes to the GDPR will be introduced during the legislative process.

It is still unclear when this legislative proposal will be formally adopted at EU level. However, the proposed changes are unlikely to apply before 2026. 

Do you have any questions?