At the end of 2025, the European Union adopted the long-awaited procedural regulation, which is intended to clarify and expedite the enforcement of Regulation (EU) 2016/679 of the European Parliament and of the Council[1] (hereinafter the “GDPR”) in cross-border cases.
About the Regulation
Specifically, this refers to Regulation (EU) 2025/2518[2] of 26 November 2025, which was published in the Official Journal of the EU on 12 December 2025 (hereinafter the “Regulation”). The Regulation entered into force on 1 January 2026, but its provisions will not apply until 2 April 2027.
First and foremost, it must be noted that this is a procedural regulation; thus, the new provisions in the Regulation do not alter the substantive obligations under the GDPR. It therefore does not affect the rights of data subjects or the obligations of controllers and processors, nor does it change the rules for imposing fines under Article 83 of the GDPR.
The sole purpose of the Regulation is to supplement the procedural framework for cross-border enforcement of the GDPR and to resolve practical issues that have repeatedly arisen in current practice.
A closer look at the Regulation
The need for the Regulation stems from experience to date with the operation of the one-stop-shop mechanism under the GDPR. In cross-border cases, the lead supervisory authority bears primary responsibility for the cooperation process under the GDPR and coordinates the matter with the other supervisory authorities concerned. However, current practice has shown that, in the absence of uniform procedural rules, there are significant differences in procedural approaches among individual Member States.
These differences were particularly evident in the assessment of the admissibility of complaints, in the duration and organization of proceedings, and in the scope of procedural rights of the parties involved. This resulted in delays in cross-border proceedings, legal uncertainty, and limited predictability regarding the actions of supervisory authorities. The Regulation therefore aims to address these shortcomings, strengthen the effectiveness of cooperation among supervisory authorities, and harmonize the procedural framework for enforcing the GDPR across Member States.
Uniform rules for the admissibility of complaints concerning cross-border processing
One of the most important changes in the Regulation is the harmonization of rules for the admissibility of complaints concerning cross-border processing. Until now, it could happen that a similar complaint was accepted in one Member State but not in another because the local authority required more extensive or different supporting documentation. The Regulation limits this fragmented approach and establishes uniform rules across the EU. Regardless of where the complaint is filed, its admissibility must be assessed according to the same criteria.
In order for a submission to be considered a complaint in a cross-border matter, it must contain the elements specified in Article 4 of the Regulation. In addition to the complainant’s identification and contact details, it must include information enabling the identification of the controller or processor against whom it is directed, and a description of the alleged infringement of the GDPR. If the complaint is filed by a non-profit entity, it must simultaneously provide evidence of its proper establishment under the law of a Member State and of its authorization to act on behalf of the data subject. The significance of this change lies in the fact that Article 4 of the Regulation establishes a uniform set of requirements for assessing the admissibility of a complaint; therefore, supervisory authorities should not, for the purpose of assessing its admissibility alone, request additional information beyond the scope of the Regulation, without prejudice to the possibility of requesting supplementary information later for the purposes of the investigation.
The meaning of the term “complaint” is further clarified and defined by Recital 6 of the Regulation. According to it, a complaint means a submission by a data subject addressed to a supervisory authority pursuant to Article 77(1) or Article 80 of the GDPR. Conversely, a mere notification of alleged infringements that do not relate to the processing of the data subject’s personal data, nor requests from controllers or processors for advice, nor general inquiries regarding the application of the GDPR, cannot be considered a complaint.
Stricter deadlines and pressure for faster resolution
The Regulation newly introduces specific deadlines for supervisory authorities’ procedures in cross-border cases and, at the same time, establishes mechanisms aimed at more efficient complaint handling. The previous legal framework did not include binding time limits for concluding cross-border proceedings, which in practice led to significant delays. Under the new rules, the lead supervisory authority is generally required to submit a draft decision pursuant to Article 60(3) of the GDPR within 15 months of confirming its jurisdiction. This deadline may be extended only once, by a maximum of 12 months, and only in exceptional cases of particular complexity.
The Regulation also establishes specific procedural mechanisms designed to facilitate the faster resolution of less complex cases or those already effectively remedied, particularly through early complaint resolution and simplified cooperation. In this regard, the Regulation aims primarily to enhance the predictability of proceedings and reduce delays in enforcing the GDPR in cross-border cases.
However, mere failure to comply with the time limits set out in the Regulation does not automatically render procedural acts or issued decisions invalid; it may nevertheless be relevant when assessing the inaction of a supervisory authority and when exercising the right to an effective judicial remedy within the meaning of Article 78 of the GDPR.
Early resolution of complaints under the Regulation
Article 5 of the Regulation establishes a mechanism for the early resolution of complaints. This applies in particular when the complaint concerns the exercise of the data subject’s rights under Chapter III of the GDPR (Rights of Data Subjects), such as the right of access, erasure, or objection to processing. If the supervisory authority determines that the alleged problem has already been resolved and remedied, it may close the case more quickly without having to fully initiate the standard cross-border cooperation procedure.
However, this procedure should not be intended to weaken the procedural protection of the complainant. If the data subject does not agree with the early resolution of the complaint, they may object to it and initiate the continuation of the standard procedure. The purpose of the early resolution mechanism is primarily to simplify the handling of cases in which a remedy has already been achieved and further procedural steps would constitute a rather unnecessary administrative burden.
Simplified cooperation
The Regulation also provides for a simplified cooperation regime between the lead supervisory authority and the other supervisory authorities concerned. This procedure is to be used in cases where a preliminary conclusion on the main issues of the matter can be reached at an early stage of the proceedings and this conclusion does not give rise to reasonable doubts. The purpose of this provision is to enable the lead supervisory authority to refer the matter to the other supervisory authorities concerned under a procedurally simpler regime, without the need to utilize the full range of coordination mechanisms designed for complex and contentious cross-border proceedings. The aim is to reduce excessive administrative burdens and expedite the handling of less complicated cases.
Strengthening the complainant’s procedural rights
The Regulation also strengthens the complainant’s procedural standing. If a supervisory authority intends to reject a complaint in whole or in part, it must allow the complainant to be heard and to comment on the matter. This harmonizes the minimum standard of procedural protection for complainants across the EU, which has not yet been applied uniformly in individual Member States. In addition, more uniform rules will apply to the complainant’s involvement in proceedings. This should contribute to both greater transparency and increased confidence in cross-border enforcement of the GDPR, which has often been criticized as opaque and protracted.
Strengthening the right of defence for organisations under investigation
A significant part of the new legislation focuses on strengthening the procedural rights of entities subject to cross-border proceedings, namely controllers and processors. In this context, the Regulation elaborates in greater detail on the right to be heard before a final decision is adopted. If, following consultations and the procedure under Articles 10 and 11 of the Regulation, the lead supervisory authority provisionally concludes that an infringement of the GDPR has occurred, it is required to issue preliminary findings pursuant to Article 19(1) of the Regulation. These preliminary findings must include, in particular, the relevant facts, legal assessment, relevant evidence, and the corrective measures the lead supervisory authority intends to adopt, including any administrative fine and the method of its calculation.
Only after the preliminary findings have been served does the subject of the investigation have the right to comment on them. Pursuant to Article 19(5) of the Regulation, the entity must be granted a period of at least three and no more than six weeks to do so, during which it may submit a written statement. In this way, the Regulation explicitly establishes procedural space for the defense even before the lead supervisory authority proceeds to draft a final decision under Article 60 of the GDPR.
Right of access to the administrative file
Closely related to the right of defense is the right of access to the administrative file, which the Regulation governs in Article 24. According to this provision, the documents contained in the administrative file must be made available to the party under investigation to the extent necessary for the effective exercise of its defense. The administrative file includes both evidence adverse to the party under investigation and evidence that may support its defense. Conversely, internal communications of supervisory authorities are excluded from access, and trade secrets, confidential information, and other protected interests expressly listed in the Regulation must be safeguarded.
This provision is further elaborated in Article 21 of the Regulation, which governs the adoption of a final decision after a draft decision has been shared as part of cooperation under Article 60 of the GDPR and no relevant objections have been raised against it within the prescribed time limits. The procedural framework is thus newly structured so that the party under investigation has the opportunity to respond to the authority’s preliminary findings before the matter proceeds to the final decision-making phase. Overall, this provision strengthens procedural fairness in cross-border proceedings. At the same time, however, it places higher demands on the entities under investigation – namely, controllers and processors – because responses to preliminary findings must be focused, legally precise, and submitted within a relatively short timeframe.
This is precisely where the practical impact of the new regulation lies: the strengthening of defense rights is linked to the requirement for swift and competent procedural action by the entity under investigation.
Clearer coordination among supervisory authorities
The Regulation also aims to improve coordination between the lead supervisory authority and the other supervisory authorities involved. The goal is to limit situations where information is shared too late, proceedings are unnecessarily returned to earlier stages, or disputes between authorities are prolonged due to procedural uncertainty.
The result should be fewer duplicative steps, a lighter administrative burden, and a greater chance that cross-border cases will be resolved within a reasonable timeframe. More effective coordination is one of the main reasons why the Regulation was adopted in the first place.
Conclusion
The Regulation represents a significant shift in the existing model of cross-border supervision under the GDPR. Its aim is not to alter the substance of obligations under the GDPR, but to eliminate procedural weaknesses that have hitherto undermined the effectiveness of cross-border supervision. By introducing more uniform rules, stricter deadlines, and clearer procedural safeguards, it creates the conditions for faster, more predictable, and more transparent decision-making across the EU.
At the same time, however, it increases the demands on procedural discipline and preparedness for those entities that may become parties to cross-border proceedings.
The true benefits of this amendment, however, will only be fully assessable once it is applied in practice in 2027.
If you have any questions regarding personal data protection, digital regulation, or EU law, we at PEYTON legal are here to assist you.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
[2] Regulation (EU) 2025/2518 of the European Parliament and of the Council of November 26, 2025, laying down further procedural rules for the enforcement of Regulation (EU) 2016/679
Mgr. Jakub Málek, managing partner – malek@plegal.cz
JUDr. Tereza Pechová, junior lawyer – pechova@plegal.cz
14. 5. 2026