Highlights

• On 21 May 2025, the European Commission welcomed their fourth simplification Omnibus package (“Omnibus IV”). The package contains a proposal for a Regulation amending the GDPR. The draft notably designates a new category of company: small mid-cap enterprises (“SMCs”).
• Omnibus IV defines SMCs as enterprises with fewer than 750 employees, and either up to €150 million in turnover, or up to €129 million in total assets.
• In contrast, small enterprises have fewer than 50 employees and an annual turnover of up to €10 million while medium enterprises are those with fewer than 250 employees and an annual turnover of up to €50 million (together, “SMEs”). The goal of introducing this category, and the goal of Omnibus IV more broadly, is to ease the transition for companies from SME to SMC stages by reducing administrative burdens.
• To achieve its aims, Omnibus IV proposes extending the application of certain measures which concern SMEs under Articles 30, 40, and 42 of the GDPR to SMCs as well.
• On 9 July 2025, the EDPB and EDPS issued a joint opinion on Omnibus IV (the “Opinion”), expressing support for its general aim of reducing the administrative burden for SMEs and SMCs, with the caveat that the changes should not compromise the protection of the fundamental rights of individuals.

Records of Processing Activities (“ROPAs”)

• Article 30 GDPR requires organisations to maintain ROPAs in both written and electronic form. Article 30(5) exempts SMEs from this requirement where the processing is unlikely to result in a risk to the rights and freedoms of data subjects, is not occasional and does not include special categories of data or personal data relating to criminal convictions and offences.
• Omnibus IV proposes raising the risk threshold for application from “unlikely to result in a risk” (which is a lower threshold) to now requiring that SMEs (and now also) SMCs compile ROPAs only when the processing activity is likely to result in a “high-risk” to the rights and freedoms of the data subjects (which is a higher threshold). However, entities availing of this exemption may still need to conduct an impact assessment to confirm their compliance with this threshold.
• The EDPB and EDPS comment in the Opinion that co-legislators could avoid potential misinterpretation of the proposed changes to Article 30(5) through use of additional recitals in the GDPR. In addition, proposed amendments to Article 30(5) refer to ‘enterprises’ or ‘organisations’. The EDPB and EDPS recommend that such references be updated to the notions of ‘SMEs’ or ‘SMCs’ to better ensure that the objectives of Omnibus IV are pursued.

Codes of Conduct

• Article 40 GDPR requires Member States, supervisory authorities, the EDPB, and the Commission to encourage associations and bodies who represent controller or processor categories to draw up codes of conduct relating to the GDPR’s application. It further suggests that such codes ought to consider the “specific features of various processing sectors” and “the specific needs of micro, small and medium-sized enterprises”. Omnibus IV proposes to extend this consideration to SMCs to ensure that their needs are also considered in the creation of such codes. 
• Given that Article 40 falls short of prescribing substantive content for the codes and the provision is underscored by voluntary compliance, its administrative burden is indeterminate. Although Article 40(11) GDPR obliges the EDPB to maintain registers in respect of approved codes of conduct, the limited volume of codes recorded indicates that this mechanism is seldom used in practice. Therefore, amendments designed to ease such burden are unlikely to be consequential.

Certifications

Article 42 GDPR requires Member States, the supervisory authorities, the European Protection Board and the Commission to encourage the establishment of data protection certification mechanisms, and of seals and marks by relevant authorities. Article 42 further states that “the specific needs of micro, small and medium-sized enterprises shall be taken into account”. Omnibus IV seeks to broaden the parameters of Article 42 to consider the specific needs of SMCs when such certifications are issued.

Next Steps

The proposal will be submitted to the European Parliament and the Council of the European Union through the EU’s ordinary legislative procedure. Given the draft Regulation is still at the proposal stage, it may not be until the end of 2026, at the earliest, before it is formally adopted.

The authors would like to thank Avril Horgan for her contribution to the article.