VIEW ALL
Publications & Insights Simpler data days ahead? EU moves to simplify ROPA Rules for smaller businesses
  1. Home
  2. News and Recent Work
  3. Publications & Insights
  4. Simpler data days ahead? EU moves to simplify ROPA Rules for smaller businesses
Share This

Simpler data days ahead? EU moves to simplify ROPA Rules for smaller businesses

Thursday, 22 May 2025

On the 21 May 2025 the European Commission announced plans to cut €400 million in annual administrative cost for EU companies. As part of these proposals, a new category of company, namely small-mid caps (SMCs), will benefit from specific derogations under the General Data Protection Regulation (GDPR). SMCs are companies with fewer than 750 employees and either up to €150 million in turnover or up to €129 million in total assets.  

GDPR requires that each controller and processor must maintain a detailed record of processing activities (a ROPA). There is a derogation for organisations with fewer than 250 employees, provided that certain conditions are fulfilled. 

This proposal aims to broaden the scope of the derogation to include organisations with fewer than 750 employees. Further, for these entities the record-keeping will be mandatory only when the processing activities are likely to result in a ‘high risk’ to data subjects’ rights and freedoms. This represents a shift in the existing legal threshold: presently the derogation only refers to ‘a risk’ to the rights and freedoms of data subjects. 


The GDPR provides some non-exhaustive examples of when data processing is likely to result in a high risk:

  • A systematic and extensive evaluation of a natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects or significantly affect the natural person.
  • Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences.
  • A systematic monitoring of a publicly accessible area on a large scale.

Further, the proposal requires that SMCs are considered where (a) Member States supervisory authorities and the Commission draw up codes of conduct and (b) in the establishment of data protection certification mechanisms and data protection seals and marks by certification bodies.

This proposal should ease the administrative burden on smaller businesses that currently exceed the threshold for SMEs.

For further information please contact Partners Zelda DeasySeán O'DonnellJane O’Grady or any member of the Byrne Wallace Shields LLP Privacy and Data Protection team
RELATED PEOPLE
Sean O'Donnell sodonnell@byrnewallaceshields.com +353 1 691 5411 view profile
Zelda Deasy zdeasy@byrnewallaceshields.com +353 1 691 5654 view profile
Jane O'Grady jogrady@byrnewallaceshields.com +353 1 637 1554 view profile
RELATED SERVICES
RELATED LINKS