The Omnibus IV Package: the (un)expected GDPR simplification

Legal Eubdate
25 June 2025
Data protection
Digital & data protection

On 21 May 2025 the European Commission published a proposal for a regulation to amend the GDPR and to introduce simplification measures for small mid-cap enterprises (the “Proposal”). The proposal is part of the Omnibus IV Simplification Package, which forms part of the broader Single Market Simplification initiatives to simplify rules and reduce bureaucracy across the European Single Market.

GDPR simplification: focus on SMCs

Against the background of emerging voices that want to enhance European competitiveness, the Proposal introduces the following measures to minimise the burden of the GDPR on SMEs and SMCs:

  • New definitions: the European Commission proposes including the explicit definition of “micro, small, and medium-sized enterprises” alongside a – new and yet to be quantified – definition of “small mid-cap enterprises (SMCs). Adding the new SMC category ensures that companies outgrowing the SME definition are covered by the proposed simplification measures. 
     

  • Derogation from the obligation to maintain records of processing activities for enterprises with fewer than 750 employees: the European Commission proposes to limit the obligation of maintaining a record of processing activities (article 30 GDPR) to companies with 750 employees or more. Companies with fewer than 750 employees will only be required to keep a record of processing activities in exceptional cases, namely where there is a high risk (instead of a risk) to the rights and freedoms of individuals. The simplification lowers the threshold for falling under the exception in article 30 of the GDPR and at the same time broadens the scope so that SMCs can also be covered.
     

  • Codes of conduct and certification: the Proposal aims to extend the scope of articles 40 and 42, allowing account to be taken of the specific needs of SMEs and to explicitly include SMCs. The specific needs of both SMEs and SMCs can thereby be considered when drafting codes of conduct and laying down data protection certification mechanisms.

Next steps

The Proposal will be reviewed and adopted by the European Parliament and the Council of the EU over the coming months. This may lead to additional amendments to the GDPR that are not yet included in the current Proposal.

The above initiatives suggest that there are more GDPR simplifications to come. Eubelius’s Digital & Data Protection team will continue to monitor these developments. 

Stay tuned for more updates!

Anneleen Van de Meulebroucke

Partner
lois

Loise Waithira

Attorney

The EU Data Act in force: What changes on 12 September 2025?

On 12 September 2025, the EU Data Act entered into force, introducing a transformative framework to create a fairer data economy.

New European GDPR procedural rules for cross-border cases on the way

On 16 June 2025, the Council and the European Parliament reached political agreement on the “GDPR Procedural Regulation” (a Regulation...

Are data protection class actions the next big thing?

Recent developments suggest that data protection class actions may be gaining traction in the EU, as they already are elsewhere around the...