GDPR and the Omnibus Law: What the Simplification Will Involve

The GDPR will soon be viewed through the lens of a new category of businesses.

The regulation is among the texts targeted by the European Commission’s latest omnibus measures. Through them, the Commission aims to reduce “at least 25% the administrative burden” by the end of its mandate.

Two omnibus packages were presented in February 2025. One relaxes the non-financial reporting requirements (postponing the entry into force of the CS3D and certain provisions of the CSRD, narrowing the scope of the latter, limiting due diligence obligations, dropping sector-specific standards, etc.). The second applies the same logic to the InvestEU and EFSI regulations, with the aim of stimulating strategic investments.

Two others have followed since then. One focused on the Common Agricultural Policy. The other on “small and mid-cap” enterprises (SMCs). Defined, in broad terms, as having fewer than 750 employees and not exceeding €150 million in annual turnover or €129 million in total assets.

Exemption from processing registers: what the European Commission proposes

This involves, on the one hand, opening up to these SMCs several mechanisms currently reserved for SMEs (simplified prospectus in the event of a public offering of securities, access to a complaints desk for imports subject to dumping or subsidies from non-EU countries, etc.). On the other hand, exempting them from various obligations. Notably regarding due diligence on batteries and battery waste, reporting of imports of products containing fluorinated greenhouse gases… and keeping registers of personal data processing activities.

The GDPR Article 30 requires maintaining such registers. It nevertheless allows companies and organizations with fewer than 250 employees to avoid this obligation, unless they carry out processing:

• That may pose a risk to the rights and freedoms of the data subjects
• That is not occasional
• That concerns special categories of data referred to in Article 9(1) or personal data relating to criminal convictions referred to in Article 10

The European Commission proposes to bring SMCS within the scope of this derogation, while broadening it to non-occasional processing and to processing of special categories of data. For these companies, maintaining a register would therefore be mandatory only in the event of a risk to rights and freedoms.

Two other GDPR articles would be extended to cover SMCS in addition to SMEs. On one hand, Article 40, which encourages the development of codes of conduct taking into account the needs of these types of enterprises. On the other, Article 42, which promotes the establishment of certification mechanisms in the same spirit.

Harmonizing the definition of the SMC

The European Commission believes that this relaxation could generate €66 million in annual savings. Here are the main lines of its reasoning—made up of multiple assumptions, as it itself acknowledges:

• According to Eurostat, 62% of SMEs have no employees.
  38% therefore likely have processing activities, even if only concerning their employees’ data. This would represent, at EU level, 10 million enterprises.
• We can estimate that 90% of these companies (9 million) do not perform high-risk processing.
• Based on an hourly cost of €29.40, if about half of these companies (4.5 million) each need 30 minutes per day to comply with their obligations, then the annual savings amount to €66 million.

The notion of SMC* already appears in the 2014 regulation declaring certain categories of state aid compatible with the internal market. As well as in 2021 guidelines aimed at promoting investments in risk financing. Brussels intends to draw on it without reproducing it per se, in order to move toward a harmonized framework capable of underpinning a “targeted support policy”.

The classification as an SMC involves taking into account the notions of “autonomous”, “partner” and “affiliated” enterprises. It is essentially tied to the level of capital concentration and voting rights, with exceptions, particularly when investors are institutional funds, alternative funds or nonprofit organizations.

The status of SMC would be lost only after surpassing at least one threshold over two consecutive financial years. This provision, like the omnibus package as a whole, must be examined by the European Parliament.

* France does not have a definition of the SMC. A 2008 decree classifies as an ETI any company counting between 250 and 4,999 employees and having either revenue not exceeding €1.5 billion or a balance sheet total not exceeding €2 billion.