European Union: European Commission proposed amendment to General Data Protection Regulation (GDPR) as part of the Simplification Omnibus Bill IV

On 21 May 2025, the European Commission submitted a proposal for a regulation including amendments to the General Data Protection Regulation (GDPR) as part of its fourth simplification omnibus package. The proposed regulation amends Articles 30, 40, and 42 of the GDPR to expand on previous derogations. Specifically, the regulation amends Article 30(5) by clarifying that the obligation to maintain records of processing activities applies only when the processing is likely to result in a high risk to the rights and freedoms of data subjects. At the same time, it expands the scope of the derogation from this obligation to include small mid-cap enterprises (SMCs) and organisations with fewer than 750 employees, instead of the current threshold of 250. In addition, the proposed regulation amends Article 40(1) to ensure that the specific needs of small and medium-sized enterprises (SMEs) and SMCs are considered when associations and other bodies draw up codes of conduct. Similarly, it updates Article 42(1) to require that data protection certification mechanisms and seals also take into account the needs of both SMEs and SMCs.