European Union: Regulation laying down additional procedural rules relating to the enforcement of GDPR enters into force

On 2 April 2027, the Regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679 enters into force. The regulation aims to harmonise the criteria for assessing the admissibility of cross-border complaints and clarifies the rights of complainants and entities under investigation. The regulation establishes the same admissibility standards no matter where in the EU the GDPR complaint was filed. Both complainants and companies involved will have the right to be heard at specific stages of the investigation and will receive preliminary findings to express their views before a final decision is issued. The regulation will also guarantee complainants access to relevant procedural information and files. To prevent delays, the new regulation introduces binding deadlines. Investigations must be completed within 15 months, with a possible 12-month extension for complex cases. Simpler cases resolved through cooperation between national authorities are subject to a 12-month deadline. The regulation includes a simplified cooperation mechanism to handle straightforward cases efficiently, allowing authorities to avoid unnecessary administrative burdens. It also provides for early resolution of complaints when the infringement has been addressed, and the complainant does not object. Finally, the lead authority will be required to share summaries early in the process, helping build consensus and ensuring all involved data protection bodies can respond in a timely, informed manner.