European Union: European Parliament passed Regulation laying down additional procedural rules relating to the enforcement of GDPR

On 21 October 2025, the European Parliament passed the regulation laying down additional procedural rules relating to the enforcement of the General Data Protection Regulation (GDPR). The regulation aims to harmonise the criteria for assessing the admissibility of cross-border complaints and clarifies the rights of complainants and entities under investigation. The regulation establishes the same admissibility standards no matter where in the EU the GDPR complaint was filed. Both complainants and companies involved will have the right to be heard at specific stages of the investigation and will receive preliminary findings to express their views before a final decision is issued. The regulation will also guarantee complainants access to relevant procedural information and files. To prevent delays, the new regulation introduces binding deadlines. Investigations must be completed within 15 months, with a possible 12-month extension for complex cases. Simpler cases resolved through cooperation between national authorities are subject to a 12-month deadline. The regulation includes a simplified cooperation mechanism to handle straightforward cases efficiently, allowing authorities to avoid unnecessary administrative burdens. It also provides for early resolution of complaints when the infringement has been addressed, and the complainant does not object. Finally, the lead authority will be required to share summaries early in the process, helping build consensus and ensuring all involved data protection bodies can respond in a timely, informed manner. The regulation now goes to the Council for approval and will enter into force 20 days after its publication in the EU Official Journal, and will be implemented 15 months after the entry into force.