GDPR: Proposed exceptions fo Small Mid-Cap Enterprises (SMCs)

The European Commission has published a legislative proposal (COM(2025) 501 final) to amend the General Data Protection Regulation (GDPR) by extending certain simplification measures and derogations currently available to SMEs, to a broader category of businesses known as Small Mid-Cap Enterprises (SMCs).

This targeted proposal marks a significant development in the European data protection landscape, aiming to introduce greater regulatory proportionality and reduce the administrative burden on high-growth businesses.

🔍 Key Changes at a Glance

The proposed amendments would bring several impactful updates to the GDPR, particularly for organisations employing up to 750 employees. These changes include:

1️⃣ Record of Processing Activities (RoPA) – Article 30(5) GDPR

Current rule: SMEs with fewer than 250 employees are exempt from maintaining a record of processing activities unless:

  • Processing is likely to result in a high risk to data subjects,

  • It is not occasional, or

  • It involves special categories of data (Article 9) or criminal data (Article 10).

Proposed amendment:

  • The exemption threshold increases to 750 employees, applying to SMCs.

  • Record-keeping will only be required when the processing is likely to result in a “high risk” to data subjects’ rights and freedoms under Article 35.

  • Processing of special categories of data for employment or social protection purposes (Article 9(2)(b)) will no longer trigger the obligation by default.

2️⃣ Codes of Conduct – Article 40 GDPR

Current rule: Encourages industry codes of conduct that consider the specific needs of micro, small, and medium-sized enterprises (SMEs).

Proposed amendment:

  • The scope explicitly includes SMCs, ensuring that codes of conduct developed by industry bodies are also tailored to the operational realities of mid-cap businesses.

3️⃣ Certification Mechanisms – Article 42 GDPR

Current rule: Certification schemes should account for SME needs.

Proposed amendment:

  • SMCs are now also entitled to special consideration, making it easier for mid-sized enterprises to obtain certifications and demonstrate GDPR compliance in a scalable manner.

4️⃣ New Definitions – Article 4 GDPR

The proposal introduces official definitions for:

  • SMEs, as per Commission Recommendation 2003/361/EC.

  • SMCs, defined as enterprises with up to 750 employees, in line with the forthcoming Commission Recommendation (2025).

💡 Why This Matters

This proposal is more than a procedural tweak—it reflects a broader policy shift within the EU to align regulatory obligations with the capacity of businesses to comply.

Around 20% of SMCs were SMEs just three years ago. Without regulatory adaptation, such companies often face a “cliff effect”: a sudden increase in compliance obligations that can stifle growth.

By extending SME-like treatment to SMCs in key areas of the GDPR, the Commission supports business scaling, innovation, and legal clarity—especially in sectors such as:

  • Technology and digital innovation,

  • Aerospace and defense,

  • Energy and renewables,

  • Health and industrial ecosystems.

⚖️ SGK Legal Commentary

This initiative demonstrates the European Commission’s recognition that regulation must evolve with the realities of business scaling. It mirrors a fundamental principle of data protection law: proportionality.

At SGK Legal, we see this as a step toward a more agile and innovation-friendly regulatory environment—without compromising fundamental data subject rights.

📅 What Comes Next?

The proposal is now moving through the ordinary legislative procedure (trilogue). Once adopted, the new provisions will apply across the EU, requiring data controllers and processors to reassess their obligations—especially those nearing or recently surpassing SME status.

📢 How We Can Help

At SGK Legal, we support organisations navigating the full spectrum of data protection compliance—from startups to mid-sized firms and international groups.

Our services include:

  • Data protection audits,

  • DPIA and RoPA assessments,

  • Industry code of conduct implementation,

  • Certification readiness,

  • Representation before supervisory authorities.


📬 Subscribe to our GDPR Update Newsletter: eepurl.com/i2kv8A