EU adopts new procedural rules to streamline cross-border GDPR enforcement
The Council of the European Union has approved a regulation that harmonises procedural standards for handling cross-border GDPR complaints. The new rules introduce common admissibility criteria, strengthen the rights of complainants and companies, and set binding deadlines to speed up investigations.
The Council of the European Union has adopted a new regulation that sets additional procedural rules for enforcing the General Data Protection Regulation. The decision follows the Council’s approval of the European Parliament’s first-reading position on 17 November 2025, completing the legislative process.
The regulation introduces harmonised criteria for assessing the admissibility of cross-border GDPR complaints. Under the new system, the same standards will apply no matter where in the EU a complaint is submitted. The aim is to provide more consistency across national authorities and reduce procedural discrepancies that have slowed down cross-border enforcement.
The rules also clarify the rights of both complainants and the entities under investigation. All parties will have the right to be heard at specific points during the procedure. They will receive preliminary findings and may respond before a final decision is issued. Complainants will also gain access to relevant procedural information and case files, improving transparency.
To address delays that have affected many cross-border cases, the regulation introduces binding deadlines. Authorities must complete investigations within 15 months, with the option of a 12-month extension for complex cases. Simpler cases handled through cooperation between national authorities must be concluded within 12 months. A simplified cooperation mechanism is included to ensure that straightforward cases are processed efficiently without unnecessary administrative steps.
The regulation also encourages early resolution of complaints. If an infringement has already been remedied and the complainant does not object, authorities may close the case without further proceedings. In addition, the lead supervisory authority will be required to share summaries earlier in the process. This measure is intended to support coordination between national data protection bodies and ensure that all relevant authorities can respond in a timely manner.
The new procedural regulation will enter into force 20 days after its publication in the Official Journal of the European Union. It will begin to apply 15 months after entering into force.
