I. Introduction
Since its application in 2018, the General Data Protection Regulation (GDPR) has established a uniform framework for the protection of personal data across the European Union (EU). The first seven years of practical experience with the GDPR’s decentralized enforcement model have revealed persistent deficiencies, particularly with regard to delays or refusals to act upon alleged infringements or complaints lodged by individuals. These shortcomings have been especially visible within the GDPR’s one-stop-shop mechanism, which allocates primary responsibility for cross-border enforcement to a lead supervisory authority (LSA) (Gentile and Lynskey 2022). Concerns have emerged regarding ineffective complaint handling, uneven procedural standards across the Member States, and the limited ability of other concerned authorities (CSAs) to meaningfully influence proceedings. Such deficiencies do not only undermine the effective protection of data subjects, but also risk distorting competition within the EU internal market (Mustert 2023).
In response, the European Commission presented in 2023 a Proposal for a Regulation laying down additional procedural rules relating to the enforcement of the GDPR. This initiative resulted in the adoption of Regulation (EU) 2025/2518 in November 2025 (The GDPR Procedural Regulation). The Procedural Regulation introduces detailed procedural rules governing the admissibility of complaints, early resolution mechanisms, administrative cooperation, dispute resolution, procedural time limits, and procedural rights. The Regulation is expressly limited in scope to cases with a cross-border element and leaves purely domestic enforcement largely untouched.
While the adoption of a binding procedural instrument represents a significant step towards addressing uneven enforcement, this blogpost argues that the Procedural Regulation risks undermining its own objectives. Its highly complex and dense procedural architecture preserves significant discretion for LSAs while offering limited safeguards against delay or inaction. Moreover, it embeds a clear procedural asymmetry between complainants and parties under investigation, thereby weakening the complaint procedure’s remedial function. This blogpost is based on an article published in the European Data Protection Law Review in January 2026 (Mustert 2026).
II. The Admissibility of Complaints
Complaint-based enforcement lies at the heart of the GDPR system. Supervisory authorities (SAs) are required to handle complaints and to investigate those ‘to the extent appropriate’ (Article 57(1)(f) GDPR), reflecting the GDPR’s ambition to provide individuals with an accessible and effective remedy (as confirmed by the CJEU in Joined Cases C-26/22 and C-64/22). However, in practice, significant divergences have emerged across Member States regarding what constitutes a complaint and how admissibility is assessed. The Procedural Regulation attempts partial harmonisation by establishing the information that should be included in a complaint in order to be admissible – i.e., identification of the complainant, the controller or processor, and a description of the alleged infringement (Art. 4(1) Procedural Regulation). Once these criteria are met, admissibility decisions are binding on the LSA.
However, several shortcomings can be identified. Firstly, the Procedural Regulation does not grant complainants a right to rectify incomplete submissions. SAs retain discretion to reject complaints immediately, which may disproportionately affect individuals lacking legal expertise. Secondly, national administrative modalities continue to apply. Meaning that, for example, language requirements or limitation periods may still form barriers. As a result, significant divergences persist (EDPB-EDPS Joint Opinion 01/2023). Thirdly, the Procedural Regulation fails to clarify the procedural step requiring data subjects to first contact controllers before lodging complaints to SAs in certain cases. While this requirement is limited to complaints regarding rights under Chapter III GDPR – such as the right to access information or to have personal data rectified or erased – the absence of clear timelines creates uncertainty and may delay access to SAs. It also limits the informational function of complaints for SAs, which the Procedural Regulation itself recognises as an important source for detecting infringements (recital 5 Procedural Regulation).
Taken together, these shortcomings illustrate that the harmonisation achieved on this point is only partial. Furthermore, rather than eliminating barriers, the Procedural Regulation risks reproducing them in a more formalised manner.
III. Early Resolution: Efficiency at the Expense of a Remedial Function?
The Procedural Regulation introduces a so-called ‘early resolution procedure’, designed as an alternative to full investigations and diverse amicable settlement procedures across the Member States (Art. 5 Procedural Regulation). This procedure allows SAs to resolve certain complaints – particularly those relating to data subjects rights under Chapter III of the GDPR – without exhaustively investigating all legal and factual elements of a complaint.
From an efficiency perspective, early resolution may appear attractive. It promises faster outcomes and reduced administrative burden. However, its design raises fundamental concerns regarding the nature of the complaint procedure. Under the GDPR, complaints are not merely informational input for SAs. Instead, the complaint procedure should constitute a legal remedy for individuals. This understanding has been emphasised by the CJEU (Joined Cases C-26/22 and C-64/22), which concluded that complaint procedures must effectively safeguard data subjects’ rights. However, the early resolution mechanism risks undermining this remedial function in several ways.
Firstly, the Procedural Regulation provides little guidance on when early resolution is appropriate. This broad discretion may enable SAs to steer complaints that do not fit their priorities into simplified procedures, effectively institutionalising prioritisation practices that have previously been criticized (González Fuster 2024; Hofmann and Mustert 2024). Such prioritization is particularly problematic where a complaint is meant to function as a legal remedy: if only complaints addressing topics that form a priority to the SA, or those pointing at serious or systemic violations receive full attention, individual complainants risk being deprived of effective redress for violations that are important to them personally. Hence, it is essential to ensure that the early resolution procedure is not applied to complaints which do not genuinely lend themselves to such simplified treatment. Any broader application would be difficult to reconcile with the principle of good administration, which requires an authority to examine carefully the factual and legal elements brought to its attention by the complainant (Hofmann 2013).
Secondly, complainants play only a limited role in shaping the outcome of the early resolution procedure. Their involvement is merely ex post and confined to a right to object to the proposed resolution of declaring the complaint devoid of purpose where the violation has ended, which stands in stark contrast to the consensual nature typically associated with settlement mechanisms (Chirulli and De Lucia 2021).
Thirdly, early resolutions adopted by concerned SAs may bypass the GDPR’s cooperation system entirely, thereby weakening coordinated enforcement in cross-border cases. Lastly, legal uncertainty persists regarding the binding nature and appealability of the resolutions reached by the concerned SAs. Where decisions are not clearly classified as legally binding acts, complainants may be deprived of effective judicial protection. In sum, while early resolution may enhance administrative efficiency, it risks doing so at the expense of individual rights.
IV. Administrative Cooperation: Mitigating the Outsized Role of the LSA?
Under the one-stop-shop mechanism, enforcement in cross-border cases is primarily the responsibility of one LSA, who is required to cooperate with the other CSAs (Art. 56 GDPR). The GDPR envisages consensus-based decision-making in such cases, supported by obligations of information exchange, mutual assistance, and joint operations (Arts. 60-62 GDPR). These mechanisms are intended to function as a form of peer pressure as it should enable SAs to safeguard the rights of data subjects in their territory, despite not having a leading role in enforcement (Opinion of AG Bobek in Case C-645/19). The Procedural Regulation introduces a significantly more detailed framework for administrative cooperation between SAs. It distinguishes between ‘simple’ and ‘complex’ cases and establishes extensive procedural obligations, including strict timelines and enhanced information-sharing requirements.
Simple cooperation – largely reflecting the original framework under the GPDR – is premised on the assumption that certain cases do not require extensive involvement of concerned SAs. Yet, this streamlined approach risks reinforcing existing asymmetries. In particular, the broad discretion afforded to the LSA in defining the scope of the investigation and determining the information that is relevant to share – through a newly introduced cooperation file – may limit the ability of CSAs to exercise meaningful oversight.
Conversely, the enhanced procedure for complex cases introduces a highly detailed, multi-phase process designed to facilitate early input from CSAs and more streamlined coordination. While this process may improve the efficiency and transparency of the cooperation procedure, it also entails significant procedural density and rigidity. The continued reliance on the LSA to decide what is ‘relevant’ information to share (Art. 10 Procedural Regulation), combined with limited escalation pathways via the EDPB where disagreement amongst the SAs persist, may undermine the effectiveness of this model in practice. Moreover, the absence of clear mechanisms to ensure consistent engagement of CSAs at all procedural stages raises questions as to whether the enhanced framework sufficiently mitigates the risks inherent in the simpler regime (see for a more detailed analysis of the newly established cooperation procedure Mustert 2025).
V. Time Limits
A key objective of the Procedural Regulation is to address delays in enforcement. To this end, it introduces an exceptionally detailed and rigid system of procedural deadlines governing virtually every stage of the process. This includes deadlines for admissibility decisions, transfers of complaints to the LSA, the determination of the LSA’s competence, the determination of a case as complex or simple, exchanging information, commenting on summaries, submitting preliminary findings, hearing the parties and eventually the adoption of draft and final decisions (Arts. 6(2), 9(2), 10(3)(4)(5), 16, 17, 19(4)(5) Procedural Regulation). Together, these steps should result in final decisions adopted within 12 months in simple cases and 15 months in complex cases, subject to limited extensions (Art. 12 Procedural Regulation). While this framework enhances predictability, its practical effectiveness is questionable. Crucially, the Regulation provides that procedural steps taken after the expiry of deadlines do not affect their legality or validity (Art. 14 Procedural Regulation). As a result, most time limits function as internal organisational benchmarks without procedural or legal consequences. Escalation to the EDPB at EU level is only possible in a limited number of cases, and only delays at very late stages – such as the failure to adopt a draft or final decision – may constitute a ‘failure to act’ open to judicial review under Article 77(2) GDPR. This significantly weakens the Procedural Regulation’s ability to ensure timely enforcement. For complainants, the practical consequence is that procedural delays may persist without effective means for escalation.
VI. Procedural Rights: A Structural Imbalance between Investigated Parties and Complainants
The Procedural Regulation also seeks to harmonise procedural rights, particularly the right to be heard and access to the file. However, it does so in a manner that clearly prioritises the rights of parties under investigation over those of complainants. Parties under investigation are granted the right to access the administrative file and the opportunity to respond to preliminary findings and the revised draft decision if this revised decision raises new elements on which the parties have not been heard (Arts. 19(2)(5) and 24(1) Procedural Regulation). These rights reflect fundamental principles of defence. By contrast, complainants are explicitly not considered parties to the procedure (recital 50 Procedural Regulation). Their procedural rights are significantly more limited and vary depending on the procedural context. In many cases, complainants are only granted the opportunity to submit written observations, without access to the underlying evidence or meaningful participation in later stages of the procedure. Access to the file is generally restricted and often contingent on demonstrating that their interests are ‘adversely affected’, which seems to include only situations where a complaint is being dismissed or rejected (Art. 24(2) GDPR Procedural Regulation).
This approach raises several concerns. Firstly, it undermines the effectiveness of the complaint procedure as a legal remedy. Without access to relevant information, complainants are poorly positioned to assess or challenge enforcement outcomes. Secondly, the reliance on the notion of ‘adverse effect’ introduces legal uncertainty due to the strict interpretation of this notion under the Procedural Regulation and inconsistent interpretations in CJEU case law (see on that point Mustert 2026, p. 14). Thirdly, the asymmetry between complainants and investigated parties sits uneasily with the GDPR’s rights-based framework, which places individuals at its core. The result is a procedural model that effectively demotes complainants to the role of informants, rather than rights-holders seeking redress.
VII. Conclusion: Complexity without Clarity
The GDPR Procedural Regulation represents an ambitious attempt to address persistent shortcomings in cross-border enforcement. It introduces detailed procedural rules, enhances cooperation mechanisms, and seeks to improve efficiency and consistency. Yet, its design raises fundamental concerns. The Procedural Regulation transforms the GDPR’s enforcement system into a dense and highly technical procedural framework, characterised by multiple pathways of case or complaint handling, rigid timelines, and complex interactions between the national and EU levels. Rather than simplifying enforcement, it risks creating a procedural maze in which outcomes depend heavily on procedural choices and classifications. At the same time, the Regulation preserves the structural dominance of LSAs, offers limited safeguards against delay or inaction, and fails to provide effective escalation mechanisms in many situations. Most importantly, it embeds a clear imbalance between complainants and investigated parties, thereby weakening the role of the complaint procedure as a legal remedy. In doing so, it risks undermining the very objective of the GDPR: the effective protection of individuals’ fundamental right to personal data protection.
Posted by Dr. Lisette Mustert, Assistant Professor of Administrative Law at Utrecht University.