The European Union has adopted new regulations aimed at streamlining GDPR enforcement procedures across member states. Regulation (EU) 2025/2518, which took effect this month, will apply to enforcement actions opened after April 2, 2027.
The procedural regulation establishes specific timelines for how data protection authorities handle complaints. Under the new rules, complaints must include specific information to be deemed admissible, and authorities must quickly assess each complaint and forward cross-border cases to the appropriate lead DPA.
The regulation introduces an early resolution mechanism allowing DPAs to close complaints when alleged violations have already ceased. While complainants can object to early closure, authorities may resolve straightforward cases quickly if underlying issues have been addressed.
New deadlines require simple cases to be resolved within 12 months, while complex cases face a 15-month deadline that can be extended once. Complex investigations must include key issues summaries to maintain progress tracking.
The rules mandate that DPAs share essential documents during investigations and guarantee both parties the right to be heard at designated points in the process. All involved parties will have access to evidence, excluding internal or confidential information.
The regulation aims to create more efficient and consistent GDPR enforcement across the EU. Companies can expect tighter timeframes for responding to DPA inquiries under the new procedural framework.
