- Introduction
On 21 October 2025, the European Parliament adopted new procedural rules designed to improve cross-border enforcement of the GDPR. The reform aims to make cooperation between national data protection authorities more efficient, transparent, and predictable — addressing one of the main weaknesses of the existing “one-stop-shop” mechanism.
Since its entry into force in 2018, the GDPR has aimed to ensure consistent enforcement throughout the European Union (EU). Yet, in practice, cross-border cases have often proved slow and fragmented, mainly because of procedural divergences, extended timelines, and limited transparency for the parties involved.
- The aims of the new procedural rules recently adopted for cross-border cases
The following four main improvements to the final text of the Regulation on cross-border GDPR procedures are worthy of note.
Firstly, the final text sets out the criteria for the admissibility of complaints. Until now, interpretations concerning the form, admissibility, and rejection of complaints have varied depending on where they were lodged or which national authority acted as the lead DPA. The new procedural rules clarify the positions of complainants and the criteria for interpreting complaints. Furthermore, it fixes the deadlines, depending on the complexity of investigations, within which the admissibility of complaints must be determined.
Secondly, the right to be heard, meaning the right to access preliminary findings and to submit comments before a final decision is taken, has been formally recognised. This right constitutes a fundamental principle of EU law and must be respected in all circumstances, particularly in procedures that may give rise to high penalties.
Thirdly, the final text of the Regulation on cross-border GDPR procedures introduces a more structured form of cooperation. DPAs must now exchange all relevant information with the aim of achieving consensus, in order to reduce the number of cases that they refer to the EDPB for dispute resolution.
Lastly, the final text of the Regulation on cross-border GDPR procedures introduces detailed requirements for the form and structure of the relevant objections submitted by the DPAs concerned. This measure is intended to promote the effective participation of all authorities involved and to ensure a more efficient and timely resolution of cases. As a result, disparities are expected to diminish, enhancing both predictability and legal certainty for all stakeholders.
- Conclusion and Practical Implications
The adoption of the EU Regulation on procedural aspects of GDPR enforcement marks a significant step toward more effective and consistent data protection throughout the European Union. As a result, the EU data protection environment is becoming increasingly coherent and trustworthy.
To ensure the successful implementation of the final text, processors must adapt their internal cross-border processing and complaint management mechanisms to align with the new procedural requirement, which is expected to enter into force in 2026.
