On 21 May 2025, the European Commission unveiled the long-awaited fourth Simplification Omnibus package, signalling a major shift in compliance requirements under the GDPR. A key highlight is the newly introduced category of Small Mid-Cap Enterprises (SMCs) with fewer than 750 employees and an annual turnover not exceeding €150 million or a total balance sheet of up to €129 million .
What’s changing?
Under the proposal, SMCs (as well as SMEs and organisations with under 750 employees) are going to benefit from simplified GDPR rules and derogations. For instance, these businesses will only be required to maintain a register of all data processing activities if their activities pose a “high risk” to rights and freedoms of data subjects. This measures, and others proposed, aim to cut red tape and help growing businesses avoid immediate large-enterprise obligations.
Key Takeaways
- New Thresholds: SMC status now covers enterprises with less than 750 employees; up to €150m turnover or €129m total assets
- Reduced Record-Keeping: You only need detailed processing records for high-risk data operations if you qualify as an SMC/SME
- Codes of Conduct & Certifications: SMC perspectives must be included in future sector-specific privacy codes and certification schemes
- More to Come: The next Omnibus package expected in June 2025 will focus on defence, followed by additional legislation for digital markets
The Omnibus package proposals aim to streamline compliance and boost innovation across the EU.
Should you have any queries on the fourth Simplification Omnibus, please do not hesitate to get in touch with Ron Galea Cavallazzi and Sharon Xuereb.
