On 16 June 2025, the Council and the European Parliament reached political agreement on the “GDPR Procedural Regulation” (a Regulation laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679). The GDPR Procedural Regulation aims to ensure faster, more efficient and more transparent handling of cross-border data protection complaints within the EU.
The text is currently only available in English (the Commission's Proposal can be consulted here). Formal approval by the Parliament and the Council is still pending. The Regulation will only enter into force after its final approval.
This reform is intended to strengthen the existing cooperation mechanism between data protection authorities in the Member States and to improve enforcement of the GDPR in cross-border situations.
The main innovations, which apply to all cross-border cases, are as follows:
- Harmonised admissibility criteria for complaints: the same conditions for lodging complaints in all Member States and faster processing of complaints.
- Strengthened procedural rights: data subjects and parties subject to investigation will, among other things, have the right to be heard and will be provided with provisional findings.
- Strict time limits: investigations must be completed within 15 months (an extension of up to 12 additional months may apply in complex cases). In cases involving simple cooperation between supervisory authorities, the maximum duration is 12 months.
- Faster handling of complaints: an “early resolution mechanism” will apply to cases where, for example, the infringement is promptly remedied.
- Simpler cooperation between supervisory authorities: fewer formalities in simple cases and the lead supervisory authority will be required to summarise the key points of the case.
We will continue to monitor the formal approval procedure and keep you informed of the specific impact this may have on your organisation.
