Privacy & Cybersecurity Law Blog

On November 17, 2025, the Council of the European Union (the “Council”) adopted new rules designed to strengthen cooperation among national data protection authorities (“DPAs”), enhancing the enforcement of the EU General Data Protection Regulation (“GDPR”). According to the Council, these reforms aim to streamline how cross-border data protection complaints are handled, reducing delays and improving consistency for individuals and businesses across the European Union.

The GDPR already mandates cooperation among DPAs for matters involving cross-border data processing. In these cases, one DPA acts as the lead authority, coordinating with others to ensure a cohesive approach. The new rules are intended to build upon the current system, harmonizing procedures to address issues which have caused delays and inconsistencies in the past.

The newly adopted rules introduce several changes to the way DPAs coordinate on cases that span multiple EU Member States:

• Uniform Admissibility Standards: The criteria for determining whether a cross-border complaint should be investigated will now be harmonized. DPAs throughout the EU will evaluate admissibility based on the same set of information and standards irrespective of where an individual files a complaint.
• Clearer Rights for Complainants and Investigated Parties: Common rules are established for involving complainants in investigations. Organizations under investigation shall also have the right to be heard and to review preliminary findings, allowing them to present their perspective before a final decision is issued.
• Simplified Procedures for Straightforward Cases: For less complex matters, DPAs can opt for a simplified cooperation process, bypassing the more complex administrative procedures to resolve cases more quickly and efficiently.
• Defined Investigation Deadlines: To prevent prolonged investigations, the new rules set a standard maximum duration of 15 months for most cases. Exceptionally complex investigations may be extended by up to a further 12 months. For cases handled through the simplified cooperation process set out above, the investigation must be concluded within 12 months.

The Council’s adoption represents the final legislative hurdle and the regulation will become law 20 days after its publication in the Official Journal of the EU. The regulation will become applicable 15 months following its publication, giving DPAs and stakeholders time to prepare for the updated framework.

Read the press release.