Commission Publishes Fourth Omnibus Proposal: Includes changes to record-keeping obligations under GDPR

The European Commission has today (21 May 2025) published its Fourth Omnibus Proposal, introducing targeted amendments, including changes to maintaining a Record of Processing Activities (ROPA) under Article 30 GDPR.

These proposed changes align closely with the EDPB-EDPS joint letter of 8 May 2025 and confirm the Commission’s intent to change obligations relating to ROPA.

Key Changes to Article 30(5) GDPR

The proposal replaces the current text of Article 30(5) with the following:

“The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 750 persons unless the processing it carries out is likely to result in a high risk to the rights and freedoms of data subjects, within the meaning of Article 35.”

This marks a clear shift from the existing provision, which exempts organisations with fewer than 250 employees only if:

  • the processing is occasional,
  • does not involve special categories or criminal data, and
  • is not likely to result in a risk to data subjects.

The revised version introduces three key simplifications:

  • Employee threshold raised from 250 to 750;
  • “Occasional processing” condition removed; and
  • Risk standard increased from “risk” to “high risk”, aligning with DPIA criteria in Article 35 GDPR.

Clarification on Special Category Data

A new recital is proposed to clarify that processing special categories of personal data under Article 9(2)(b) (e.g. processing relating to employment or social security obligations) does not, by itself, trigger the ROPA requirement – provided the processing is not likely to result in high risk.


New Category: Small Mid-Caps (SMCs)

The proposal also introduces the concept of SMCs (Small mid-caps), defined as organisations with fewer than 750 employees and either have up to €150 million in turnover or up to €129 million in total assets. SMCs are now proposed to be expressly mentioned in Articles 40 and 42 GDPR, requiring that their specific needs be taken into account when drafting codes of conduct and designing certification mechanisms.

This builds on the GDPR’s existing SME framework.

Click here to read the full proposal.

See All News Here

Related News

Swedish Supreme Court Adds Nuance to Previous Ruling on Bulk Requests for Court Judgments and Decisions

NIS2 and the Swedish Regulation Jungle

EU Commission Proposes Tech Sovereignty Package with New Rules for Chips, Cloud Services and AI infrastructure