GDPR: EU Member States Approve Faster Cross-Border Data Protection Procedures

The EU Council has finally adopted new rules to improve cooperation between national data protection authorities in GDPR enforcement.

(Image: peterschreiber.media/Shutterstock.com)

Nov 17, 2025 at 4:48 pm CET

3 min. read

By

Stefan Krempl

The EU Council of Ministers gave final approval on Monday to the mini-reform of the General Data Protection Regulation (GDPR), which it agreed with representatives of the Parliament in June. The aim is to improve cooperation between national data protection authorities in enforcing the regulatory framework. This is intended to speed up the processing of cross-border data protection complaints. This primarily concerns the “Ireland problem”: the Irish Data Protection Commission (DPC) is currently considered a bottleneck for GDPR enforcement against big tech corporations that have their European headquarters on the island. Harmonized procedures should prevent disputes in the European Data Protection Board (EDPB) from leading to complicated and lengthy conciliation procedures in the future.

A central element of the amendment, which has been fiercely debated for years concerns the harmonization of admissibility requirements for cross-border complaints. In the future, regardless of which EU member state a complaint is filed in, the decision on its admissibility will be assessed based on the same information. This will create a standardization of criteria, aiming to eliminate different national interpretations and provide data subjects with greater legal certainty. This harmonization is considered crucial to end the fragmentation that has so far hindered the smooth functioning of the EU-wide cooperation mechanism.

Videos by heise

Simplified Cooperation Procedure

At the same time, the new regulations provide for joint procedural rights for all parties involved. This includes the right of data subjects to be involved in the proceedings, as well as the enshrined right to be heard for the companies or organizations being investigated. The latter will also have the documented option to review and comment on preliminary investigation findings. This is intended to increase the transparency and fairness of the entire procedure. Furthermore, a simplified cooperation procedure is introduced for uncomplicated cases: to avoid unnecessary administrative effort, national data protection authorities can agree to settle such matters prematurely.

Read also

Servers with an overlaid US flag, with the EU flag blurred in the background

Opinion: US Authorities Have Far-Reaching Access to European Cloud Data

USA and Europe with flags, shield in the middle

On-Prem: Microsoft's extensive expansion of Azure Local

DMA: Meta offers EU users more choices for targeted advertising

The Russmedia ruling of the ECJ: Towards a “Cleannet”?

The twelve yellow EU stars on a blue background; in a circle, there is a white padlock and the letters GDPR (General Data Protection Regulation); the blue background is a map of Europe

Bitkom Survey: Large Majority of Companies Demand GDPR Reform

Arguably the most important innovation is the introduction of binding deadlines for GDPR investigations. A regular cross-border procedure may no longer take longer than 15 months. Only in the most complex cases can this deadline be extended once by a maximum of twelve additional months. For complaints handled through the new simplified cooperation procedure, the investigation must be concluded within twelve months. Civil rights advocates argue that these provisions are insufficient. The Council's decision marks the final legislative step. The so-called implementing regulation will enter into force 20 days after its publication in the EU Official Journal and will become fully applicable after a transitional period of 15 months. The EU Commission is expected to launch an extensive GDPR reform on Wednesday, which critics say would weaken data protection.