European Union: Council of the European Union adopted Regulation laying down additional procedural rules relating to the enforcement of GDPR

On 17 November 2025, the Council of the European Union approved the European Parliament’s first-reading position on the proposal for a Regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679, thereby adopting the legislative act. The regulation aims to harmonise the criteria for assessing the admissibility of cross-border complaints and clarifies the rights of complainants and entities under investigation. The regulation establishes the same admissibility standards no matter where in the EU the GDPR complaint was filed. Both complainants and companies involved will have the right to be heard at specific stages of the investigation and will receive preliminary findings to express their views before a final decision is issued. The regulation will also guarantee complainants access to relevant procedural information and files. To prevent delays, the new regulation introduces binding deadlines. Investigations must be completed within 15 months, with a possible 12-month extension for complex cases. Simpler cases resolved through cooperation between national authorities are subject to a 12-month deadline. The regulation includes a simplified cooperation mechanism to handle straightforward cases efficiently, allowing authorities to avoid unnecessary administrative burdens. It also provides for early resolution of complaints when the infringement has been addressed and the complainant does not object. Finally, the lead authority will be required to share summaries early in the process, helping build consensus and ensuring all involved data protection bodies can respond in a timely, informed manner. The regulation will enter into force 20 days after its publication in the Official Journal of the European Union and will apply 15 months after its entry into force.