- with readers working within the Consumer Industries and Transport industries
- within Insolvency/Bankruptcy/Re-Structuring topic(s)
New changes are on the horizon for GDPR enforcement across the European Union. At the very end of 2025, the EU adopted a regulation intended to address procedures around GDPR enforcement (Regulation (EU) 2025/2518). The regulation sets out timelines for how data protection authorities (DPAs) handle complaints. It went into force this month, but will apply to GDPR enforcement actions opened after April 2, 2027.
So, what will change? The Procedural Regulation aims to make GDPR enforcement faster and more consistent. Here are the biggest changes:
- Admissibility of Complaints: Complaints will need to include specific information to move forward. DPAs will then need to quickly assess each complaint and, if it involves more than one country, promptly send it to the lead DPA.
- Early Resolution: If the alleged GDPR violation has already stopped, under the new rules, DPAs will be able to close a complaint early. Complainants can object to this, but authorities can resolve straightforward cases quickly if the problem is fixed.
- Clear Deadlines: Simple cases will need to be resolved within 12 months. More complex cases will have a 15-month deadline (which can be extended once). Key issues summaries are required for complex investigations to keep everyone on track.
- Cooperation and Access: DPAs will need to share key documents with each other during investigations. Everyone involved has the right to be heard at certain points, and both sides can access the evidence (except internal or confidential info).
Putting it into Practice: The new rules aim to create a more efficient process. If they work as intended, companies can expect tighter time frames for GDPR inquiries brought by DPAs.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
