On June 16, 2025, the Council of the EU (Council) and the European Parliament (EP) reached a provisional agreement on a new regulation (the Draft Regulation) to enhance enforcement of the General Data Protection Regulation (GDPR) by national data protection authorities (DPAs) and to speed up their handling of cross-border GDPR complaints and related investigations.

The Draft Regulation intends to simplify administrative procedures (e.g., by identifying the criteria for when DPAs can accept and investigate complaints under the GDPR) and harmonize complainants’ rights across the EU. In addition, the Draft Regulation provides parties under investigation and, where applicable, complainants with the right to access relevant case files (while ensuring the protection of trade secrets by permitting DPAs to withhold particular documents on confidentiality grounds) and enshrines the right to be heard at various stages of GDPR proceedings. The one-stop-shop mechanism under GDPR will remain, but new requirements will be introduced to enhance cooperation among DPAs in cross-border cases. This development will affect all businesses operating across the EU, especially organizations with EU-wide activities.

Background

EU bodies, consumer representative groups, and companies have all highlighted shortcomings in GDPR enforcement since its entry into force and advocated revisiting its procedural rules. While the GDPR sets common rules for cross-border cooperation, national procedural differences have hindered and slowed down effective enforcement. In October 2022, the European Data Protection Board sent a letter to the European Commission (EC) detailing a “wish list” of procedural aspects that could be further harmonized at EU level. In response, the EC issued the first version of the Draft Regulation to strengthen GDPR enforcement in July 2023.

After a lengthy process and final negotiations, the Council and the EP announced on June 16, 2025, that they had reached a provisional agreement on the Draft Regulation. On June 27, 2025, the latest text was circulated from the Council to the EP, and once they agree on the final text, the Draft Regulation will be formally adopted.

Highlights

The Draft Regulation contains procedural rules to enhance cooperation between DPAs when enforcing GDPR across the EU. Its key measures are:

1. EU-wide validity criteria for complaints: The Draft Regulation aims to expedite the processing of cross-border GDPR complaints by introducing clear and uniform criteria for when DPAs, across Member States, must accept a complaint and investigate the facts described therein. This includes the following:
   • Based on the current text, a complaint will be admissible if it includes: i) the name and contact details of the person or entity lodging the complaint; ii) where the complaint is lodged by a consumer representation body, the name and contact details of that body and proof that it was established and legally recognized in accordance with EU Member State law, which is lodging the complaint on the basis of a data subject’s mandate; iii) information to facilitate the identification of the controller or processor that is the subject of the complaint; and iv) a description of the alleged infringement of the GDPR. If the required information is missing, the DPA must reject the complaint and notify the complainant within two weeks of receiving the complaint.
   • DPAs may not require additional information for a complaint to be valid (e.g., the data subject does not need to contact the party under investigation before filing its complaint with the DPA). However, they may request further details later on to help their investigation.

2. A fast-track process for resolving complaints: A new “early resolution” mechanism aims to enable DPAs to resolve cases amicably before initiating the cross-border process (either before sending the complaint to the lead DPA, or before the lead DPA submits its findings to other DPAs). This new process could be used when the company has addressed the alleged issue under investigation and the complainant agrees with the early resolution of their complaint. If the DPA considers the issue to be resolved, they must inform the complainant, who must raise any objections within four weeks. If there are no objections, the DPA has two weeks to inform all parties, including the lead DPA, that the issue has been settled. Overall, this mechanism should help settle disputes faster and shorten the duration of GDPR investigations across the EU.

3. New investigation deadlines: The Draft Regulation will introduce a deadline of 15 months for DPAs to submit their draft decisions, with the possibility of a one-off, 12-month extension for complex cases. In that case, the lead DPA must inform the other involved DPAs, and explain why and how long the investigation should be extended at least four weeks before the expiry of the initial 15-month deadline. DPAs may object to the request within two weeks. This change aims to address long-standing concerns about the slow-moving nature of GDPR enforcement. The Draft Regulation will apply to investigations opened after 15 months after its date of entry into force. It will not apply to currently ongoing investigations.

4. Summary of key issues by the lead DPA: Once the lead DPA has identified the key issues under investigation, it will prepare a summary of the key issues to facilitate the cross-border review of the case. This summary will include: i) relevant facts; ii) a preliminary identification of the scope of the investigation; iii) the legal and factual issues at stake; iv) analysis of relevant views as expressed by a party under investigation or the complainant where available when the summary is drafted; and v) where applicable, preliminary identification of potential corrective measures. This summary must be shared with the concerned DPAs without delay, and no later than three months after the lead DPA confirmed its role as the lead. Concerned DPAs will have four weeks to comment on the summary, which can be extended by two weeks for complex cases or upon request by DPAs.

5. Simple cooperation procedure for straightforward cases: The latest text retains the simplified cooperation procedure for straightforward cases, for which investigations should be concluded within 12 months. This applies to cases where: i) the scope of the investigation is clear (to the lead DPA); and ii) the legal and factual issues can be handled by the lead DPA alone (e.g., in light of similar past cases). This would allow DPAs to act quickly on noncontroversial matters while also benefiting from the new cooperation rules for more complex investigations, thereby reducing their administrative burden. This procedure can only be applied if there are no objections from concerned DPAs.

6. New EU-wide procedural rights: The new rules aim to clarify the rights of both complainants and entities under investigation. These include:
    
   1. Right of access to relevant case files (with the exception of confidential information)
   • Complainants are able to participate in the proceedings and access relevant case files. For example, certain information cannot be accessed, such as internal DPA communications and confidential company information. However, the investigated party must clearly mark information as confidential when submitting it to a DPA and include an explanation of why it needs to remain confidential. In practice, these requirements will be further interpreted or supplemented by local laws, such as how “confidential information” is defined under Freedom of Information (FOI) legislation.
   • The Draft Regulation confirms that any information or documents containing trade secrets, as defined in the Directive on the Protection of Trade Secrets, must be treated as confidential. It also clarifies that such confidential information will be excluded from access to the case file. These requirements align with the principles often provided under national FOI laws, which generally prohibit the disclosure of protected information to any third parties. Despite this, the lead DPA may still require identification of the parties for whom the documents are considered confidential. In practice, however, this may be redundant, in part because access to confidential information is already restricted by such FOI laws.
   2. Right to be heard
   • The investigated party’s right to be informed about the allegations made against it. The lead DPA must inform parties under investigation about a complaint, and its main “elements,” without delay.
   • Both the complainant’s and the investigated entity’s right to be heard and to review the DPA’s preliminary findings before a final decision is made. The party under investigation, and where applicable, a complainant, may request access to the case file subject to applicable national administrative law and the protection of confidential information, such as trade secrets. A complainant will only be granted access where the decision may affect his or her interests adversely. The lead DPA must allow parties to either provide their views in writing or orally within a period of three-to-six weeks (as from the date the findings are notified).
   • In addition, if a revised draft decision, that finds an infringement of the GDPR, were to introduce new points, the lead DPA must allow the parties under investigation to also share their views on these points within three-to-six weeks before finalizing the decision.

Notwithstanding the above, Member States’ national administrative laws and procedural rules may supplement these rules (without contradicting them) and will continue to apply to all procedural matters not covered by the Draft Regulation.

Next Steps

The provisional agreement on the Draft Regulation now awaits formal approval by both the Council and the EP. The EP is expected to vote on the text in October 2025. Once adopted, the Regulation will introduce important procedural changes. Organizations operating in the EU or handling personal data of EU citizens should closely monitor these developments and assess their potential impact on their handling of regulatory complaints.

For further information or assistance regarding GDPR compliance or the impact of these new rules on your organization, please contact Cédric Burton, Laura De Boel, Yann Padova, or Nikolaos Theodorakis.

Laura Brodahl, Carol Evrard, and Jessica O’Neill contributed to the preparation of this post.