{"id":1629,"date":"2025-05-22T13:59:45","date_gmt":"2025-05-22T10:59:45","guid":{"rendered":"https:\/\/sgklegal.gr\/?p=1629"},"modified":"2025-05-22T14:04:24","modified_gmt":"2025-05-22T11:04:24","slug":"gdpr-proposed-exceptions-fo-small-mid-cap-enterprises-smcs","status":"publish","type":"post","link":"https:\/\/sgklegal.gr\/en\/gdpr-proposed-exceptions-fo-small-mid-cap-enterprises-smcs\/","title":{"rendered":"GDPR: Proposed exceptions fo Small Mid-Cap Enterprises (SMCs)"},"content":{"rendered":"<p data-start=\"348\" data-end=\"658\">The European Commission has published a <a href=\"https:\/\/single-market-economy.ec.europa.eu\/document\/download\/d88a75de-b620-4d8b-b85b-1656a9ba6b8a_en?filename=Proposal%20for%20a%20Regulation%20-%20Small%20mid-caps.pdf\" target=\"_blank\" rel=\"noopener\">legislative proposal (COM(2025) 501 final)<\/a> to amend the General Data Protection Regulation (GDPR) by extending certain simplification measures and derogations currently available to SMEs, to a broader category of businesses known as <strong data-start=\"621\" data-end=\"657\">Small Mid-Cap Enterprises (SMCs)<\/strong>.<\/p>\n<p data-start=\"660\" data-end=\"884\">This targeted proposal marks a significant development in the European data protection landscape, aiming to introduce greater <strong data-start=\"786\" data-end=\"816\">regulatory proportionality<\/strong> and reduce the <strong data-start=\"832\" data-end=\"857\">administrative burden<\/strong> on high-growth businesses.<\/p>\n<h2 data-start=\"891\" data-end=\"920\">\ud83d\udd0d Key Changes at a Glance<\/h2>\n<p data-start=\"922\" data-end=\"1085\">The proposed amendments would bring several impactful updates to the GDPR, particularly for organisations employing up to <strong data-start=\"1044\" data-end=\"1061\">750 employees<\/strong>. These changes include:<\/p>\n<h3 data-start=\"1087\" data-end=\"1158\">1\ufe0f\u20e3 Record of Processing Activities (RoPA) \u2013 <strong data-start=\"1136\" data-end=\"1158\">Article 30(5) GDPR<\/strong><\/h3>\n<p data-start=\"1160\" data-end=\"1282\"><strong data-start=\"1160\" data-end=\"1176\">Current rule<\/strong>: SMEs with fewer than 250 employees are exempt from maintaining a record of processing activities unless:<\/p>\n<ul data-start=\"1283\" data-end=\"1459\">\n<li data-start=\"1283\" data-end=\"1348\">\n<p data-start=\"1285\" data-end=\"1348\">Processing is likely to result in a high risk to data subjects,<\/p>\n<\/li>\n<li data-start=\"1349\" data-end=\"1375\">\n<p data-start=\"1351\" data-end=\"1375\">It is not occasional, or<\/p>\n<\/li>\n<li data-start=\"1376\" data-end=\"1459\">\n<p data-start=\"1378\" data-end=\"1459\">It involves special categories of data (Article 9) or criminal data (Article 10).<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"1461\" data-end=\"1484\"><strong data-start=\"1461\" data-end=\"1483\">Proposed amendment<\/strong>:<\/p>\n<ul data-start=\"1485\" data-end=\"1876\">\n<li data-start=\"1485\" data-end=\"1560\">\n<p data-start=\"1487\" data-end=\"1560\"><strong data-start=\"1487\" data-end=\"1541\">The exemption threshold increases to 750 employees<\/strong>, applying to SMCs.<\/p>\n<\/li>\n<li data-start=\"1561\" data-end=\"1716\">\n<p data-start=\"1563\" data-end=\"1716\"><strong data-start=\"1563\" data-end=\"1660\">Record-keeping will only be required when the processing is likely to result in a &#8220;high risk&#8221;<\/strong> to data subjects\u2019 rights and freedoms under Article 35.<\/p>\n<\/li>\n<li data-start=\"1717\" data-end=\"1876\">\n<p data-start=\"1719\" data-end=\"1876\"><strong data-start=\"1719\" data-end=\"1875\">Processing of special categories of data for employment or social protection purposes (Article 9(2)(b)) will no longer trigger the obligation by default<\/strong>.<\/p>\n<\/li>\n<\/ul>\n<h3 data-start=\"1883\" data-end=\"1929\">2\ufe0f\u20e3 Codes of Conduct \u2013 <strong data-start=\"1910\" data-end=\"1929\">Article 40 GDPR<\/strong><\/h3>\n<p data-start=\"1931\" data-end=\"2072\"><strong data-start=\"1931\" data-end=\"1947\">Current rule<\/strong>: Encourages industry codes of conduct that consider the specific needs of micro, small, and medium-sized enterprises (SMEs).<\/p>\n<p data-start=\"2074\" data-end=\"2099\"><strong data-start=\"2074\" data-end=\"2096\">Proposed amendment<\/strong>:<\/p>\n<ul data-start=\"2100\" data-end=\"2275\">\n<li data-start=\"2100\" data-end=\"2275\">\n<p data-start=\"2102\" data-end=\"2275\">The scope explicitly includes <strong data-start=\"2132\" data-end=\"2140\">SMCs<\/strong>, ensuring that codes of conduct developed by industry bodies are also <strong data-start=\"2211\" data-end=\"2274\">tailored to the operational realities of mid-cap businesses<\/strong>.<\/p>\n<\/li>\n<\/ul>\n<h3 data-start=\"2282\" data-end=\"2336\">3\ufe0f\u20e3 Certification Mechanisms \u2013 <strong data-start=\"2317\" data-end=\"2336\">Article 42 GDPR<\/strong><\/h3>\n<p data-start=\"2338\" data-end=\"2407\"><strong data-start=\"2338\" data-end=\"2354\">Current rule<\/strong>: Certification schemes should account for SME needs.<\/p>\n<p data-start=\"2409\" data-end=\"2434\"><strong data-start=\"2409\" data-end=\"2431\">Proposed amendment<\/strong>:<\/p>\n<ul data-start=\"2435\" data-end=\"2615\">\n<li data-start=\"2435\" data-end=\"2615\">\n<p data-start=\"2437\" data-end=\"2615\">SMCs are now also <strong data-start=\"2455\" data-end=\"2492\">entitled to special consideration<\/strong>, making it easier for mid-sized enterprises to obtain certifications and demonstrate GDPR compliance in a scalable manner.<\/p>\n<\/li>\n<\/ul>\n<h3 data-start=\"2622\" data-end=\"2666\">4\ufe0f\u20e3 New Definitions \u2013 <strong data-start=\"2648\" data-end=\"2666\">Article 4 GDPR<\/strong><\/h3>\n<p data-start=\"2668\" data-end=\"2717\">The proposal introduces official definitions for:<\/p>\n<ul data-start=\"2718\" data-end=\"2903\">\n<li data-start=\"2718\" data-end=\"2775\">\n<p data-start=\"2720\" data-end=\"2775\"><strong data-start=\"2720\" data-end=\"2728\">SMEs<\/strong>, as per Commission Recommendation 2003\/361\/EC.<\/p>\n<\/li>\n<li data-start=\"2776\" data-end=\"2903\">\n<p data-start=\"2778\" data-end=\"2903\"><strong data-start=\"2778\" data-end=\"2786\">SMCs<\/strong>, defined as enterprises with up to <strong data-start=\"2822\" data-end=\"2839\">750 employees<\/strong>, in line with the forthcoming Commission Recommendation (2025).<\/p>\n<\/li>\n<\/ul>\n<h2 data-start=\"2910\" data-end=\"2932\">\ud83d\udca1 Why This Matters<\/h2>\n<p data-start=\"2934\" data-end=\"3111\">This proposal is more than a procedural tweak\u2014it reflects a <strong data-start=\"2994\" data-end=\"3018\">broader policy shift<\/strong> within the EU to <strong data-start=\"3036\" data-end=\"3110\">align regulatory obligations with the capacity of businesses to comply<\/strong>.<\/p>\n<p data-start=\"3113\" data-end=\"3310\">Around <strong data-start=\"3120\" data-end=\"3166\">20% of SMCs were SMEs just three years ago<\/strong>. Without regulatory adaptation, such companies often face a \u201ccliff effect\u201d: a sudden increase in compliance obligations that can stifle growth.<\/p>\n<p data-start=\"3312\" data-end=\"3484\">By extending SME-like treatment to SMCs in key areas of the GDPR, the Commission supports <strong data-start=\"3402\" data-end=\"3453\">business scaling, innovation, and legal clarity<\/strong>\u2014especially in sectors such as:<\/p>\n<ul data-start=\"3485\" data-end=\"3607\">\n<li data-start=\"3485\" data-end=\"3521\">\n<p data-start=\"3487\" data-end=\"3521\">Technology and digital innovation,<\/p>\n<\/li>\n<li data-start=\"3522\" data-end=\"3546\">\n<p data-start=\"3524\" data-end=\"3546\">Aerospace and defense,<\/p>\n<\/li>\n<li data-start=\"3547\" data-end=\"3571\">\n<p data-start=\"3549\" data-end=\"3571\">Energy and renewables,<\/p>\n<\/li>\n<li data-start=\"3572\" data-end=\"3607\">\n<p data-start=\"3574\" data-end=\"3607\">Health and industrial ecosystems.<\/p>\n<\/li>\n<\/ul>\n<h2 data-start=\"3614\" data-end=\"3640\">\u2696\ufe0f SGK Legal Commentary<\/h2>\n<p data-start=\"3642\" data-end=\"3860\">This initiative demonstrates the European Commission\u2019s recognition that <strong data-start=\"3714\" data-end=\"3779\">regulation must evolve with the realities of business scaling<\/strong>. It mirrors a fundamental principle of <strong data-start=\"3819\" data-end=\"3859\">data protection law: proportionality<\/strong>.<\/p>\n<p data-start=\"3862\" data-end=\"4018\">At SGK Legal, we see this as a step toward a more agile and innovation-friendly regulatory environment\u2014without compromising fundamental data subject rights.<\/p>\n<h2 data-start=\"4025\" data-end=\"4047\">\ud83d\udcc5 What Comes Next?<\/h2>\n<p data-start=\"4049\" data-end=\"4325\">The proposal is now moving through the <strong data-start=\"4088\" data-end=\"4122\">ordinary legislative procedure<\/strong> (trilogue). Once adopted, the new provisions will apply across the EU, requiring data controllers and processors to reassess their obligations\u2014especially those nearing or recently surpassing SME status.<\/p>\n<h2 data-start=\"4332\" data-end=\"4353\">\ud83d\udce2 How We Can Help<\/h2>\n<p data-start=\"4355\" data-end=\"4515\">At <strong data-start=\"4358\" data-end=\"4371\">SGK Legal<\/strong>, we support organisations navigating the full spectrum of data protection compliance\u2014from startups to mid-sized firms and international groups.<\/p>\n<p data-start=\"4517\" data-end=\"4538\">Our services include:<\/p>\n<ul data-start=\"4539\" data-end=\"4712\">\n<li data-start=\"4539\" data-end=\"4564\">\n<p data-start=\"4541\" data-end=\"4564\">Data protection audits,<\/p>\n<\/li>\n<li data-start=\"4565\" data-end=\"4593\">\n<p data-start=\"4567\" data-end=\"4593\">DPIA and RoPA assessments,<\/p>\n<\/li>\n<li data-start=\"4594\" data-end=\"4636\">\n<p data-start=\"4596\" data-end=\"4636\">Industry code of conduct implementation,<\/p>\n<\/li>\n<li data-start=\"4637\" data-end=\"4663\">\n<p data-start=\"4639\" data-end=\"4663\">Certification readiness,<\/p>\n<\/li>\n<li data-start=\"4664\" data-end=\"4712\">\n<p data-start=\"4666\" data-end=\"4712\">Representation before supervisory authorities.<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"4714\" data-end=\"4879\"><br data-start=\"4783\" data-end=\"4786\" \/>\ud83d\udcec <strong data-start=\"4789\" data-end=\"4832\">Subscribe to our GDPR Update Newsletter<\/strong>: <a class=\"\" href=\"http:\/\/eepurl.com\/i2kv8A\" target=\"_new\" rel=\"noopener\" data-start=\"4834\" data-end=\"4879\">eepurl.com\/i2kv8A<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The European Commission has published a legislative proposal (COM(2025) 501 final) to amend the General Data Protection Regulation (GDPR) by extending certain simplification measures and derogations currently available to SMEs, to a broader category of businesses known as Small Mid-Cap Enterprises (SMCs). This targeted proposal marks a significant development in the European data protection landscape, [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":1627,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[296,111,299,298,297],"class_list":["post-1629","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-en","tag-exceptions","tag-gdpr-en","tag-ropa-en","tag-smc","tag-sme"],"_links":{"self":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/1629","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/comments?post=1629"}],"version-history":[{"count":1,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/1629\/revisions"}],"predecessor-version":[{"id":1630,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/1629\/revisions\/1630"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/media\/1627"}],"wp:attachment":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/media?parent=1629"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/categories?post=1629"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/tags?post=1629"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}