On 21 May 2025, the European Commission unveiled its fourth Omnibus Simplification Package, a reform package aimed at slashing €400 million in administrative burdens across the EU, as part of the ongoing Single Market Simplification effort. Among the key reforms is the formal introduction of a new corporate category, “small mid-cap enterprises” (“SMCs”) which intends to smoothen the sharp regulatory ‘cliff’ between SMEs and large enterprises. Notably however, this reclassification carries significant implications for data protection, as the European Commission proposes to expand exemptions under the General Data Protection Regulation.
A core component of this package is the formal recognition of SMCswhich are defined as businesses with fewer than 750 employees and either under €150 million in turnover or €129 million in assets.
In comparison, the previous regime, enshrined by Commission Recommendation 2003/361/EC comprised of three classifications:[1]
| Micro Enterprises | ≤ 10 employees | Annual turnover / balance sheet total of ≤ €2 million |
| Small Enterprises | ≤ 50 employees | Annual turnover / balance sheet total of ≤ €10 million |
| Medium-sized Enterprises | ≤ 250 employees | Annual turnover of ≤ €50 million / balance sheet total of ≤ €43 million |
| Small Mid-cap Enterprises | ≤ 750 employees | Annual turnover of ≤ €150 million / balance sheet total of ≤ €129 million |
Current SMCs amounting to approximately 38,000 across the EU,[2] now stand to benefit from reduced obligations under several regulatory frameworks, including that imposed by the GDPR.
Interestingly however, not all stakeholders are celebrating.
A key amendment targets Article 30 of the GDPR. Currently, only firms with fewer than 250 employees enjoy limited exemptions from maintaining Records of Processing Activities. Under the new proposal, that exemption would extend to SMCs, so long as their processing is not “likely to result in a high risk to the rights and freedoms of data subjects”, as per Article 35 of the GDPR.
In response, the European Consumer Organisation BUEC has strongly pushed back, warning that such a carve-out risks weakening GDPR enforcement, particularly for firms scaling in size and data complexity.
While the Commission maintains that core GDPR principles, such as lawfulness, accountability and transparency, remain untouched, the practical implications may tell a different story. BUEC argues that without robust record-keeping obligations, how can data protection authorities audit or verify compliance, especially in cross-border cases? The risk is that firms may avoid maintaining any meaningful processing inventory unless formally required, undermining the GDPR’s long-standing “privacy by design” ethos.
Notwithstanding the above, the proposal is still in the early stages of the legislative process and must pass through the European Parliament and Council trialogue. Of course, stakeholder consultations, including input from the European Data Protection Board and the European Data Protection Supervisor, will be pivotal in shaping the final text.
Undoubtedly, the EU’s simplification strategy signals a bold move toward administrative efficiency and regulatory proportionality. However, in areas as sensitive as data protection and product safety, “less” must not become synonymous with “lax.”
For further reading: European Commission – Press Release
--
For more information or assistance on Data Protection & Privacy please contact us at info@gtg.com.mt
Author: Dr J.J. Galea
[1] Article 2, Commission Recommendation 2003/361/EC
[2] https://ec.europa.eu/commission/presscorner/api/files/attachment/881208/Factsheet%20-%20Small%20mid-caps.pdf