Regulation (EU) 2025/2518 of the European Parliament and of the Council of 26 November 2025 laying down additional procedural rules on the enforcement of Regulation (EU) 2016/679 (Text with EEA relevance)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee (1),

After consulting the Committee of the Regions,

Acting in accordance with the ordinary legislative procedure (2),

Whereas:

(1) Regulation (EU) 2016/679 of the European Parliament and of the Council (3) establishes a decentralised enforcement system, which aims to ensure the consistent interpretation and application of that Regulation in cases concerning cross-border processing. In such cases, the decentralised enforcement system requires cooperation between supervisory authorities in an endeavour to reach consensus. Where supervisory authorities cannot reach consensus, Regulation (EU) 2016/679 provides for dispute resolution by the European Data Protection Board (the ‘Board’).

(2) In order to provide for the smooth and effective functioning of the cooperation mechanism and the dispute resolution mechanism provided for in Articles 60 and 65 of Regulation (EU) 2016/679, respectively, it is necessary to lay down rules concerning the conduct of proceedings by the supervisory authorities in cases concerning cross-border processing, and by the Board during dispute resolution, including the handling of complaints. For that reason, it is also necessary to lay down rules concerning the exercise of the right to be heard prior to the adoption of decisions by supervisory authorities and, as the case may be, by the Board.

(3) In the absence of Union rules governing the matter, it is for each Member State, in accordance with the principle of procedural autonomy of Member States, to lay down the detailed rules of administrative and judicial procedures intended to ensure a high level of protection of rights that individuals derive from Union law. The procedural law of each Member State should therefore apply to the supervisory authorities insofar as this Regulation does not harmonise a matter, and as long as such national procedural rules do not impede the principles of effectiveness and equivalence of Union law.

(4) This Regulation aims to ensure that investigations in cases concerning cross-border processing are carried out in accordance with the principle of good administration, in particular that they are carried out impartially, fairly and within a reasonable time. This Regulation, therefore, lays down some horizontal principles relating to the procedures in the enforcement of Regulation (EU) 2016/679 for such cases.

(5) Complaints are an essential source of information for detecting infringements of data protection rules. Information provided by a complainant as part of the complaint lodged or when making his or her views known can include arguments and evidence that can help progress the investigation. Establishing clear and efficient procedures for the handling of complaints in cases concerning cross-border processing is necessary since it is possible that the complaint is dealt with by a supervisory authority other than the one with which the complaint has been lodged.

(6) A complaint should be understood as a claim lodged by a data subject with a supervisory authority in accordance with Article 77(1) or Article 80 of Regulation (EU) 2016/679. The mere reporting of alleged infringements which do not concern the processing of personal data relating to the data subject, requests for advice from controllers or processors or general requests regarding the application of Regulation (EU) 2016/679, either from controllers, processors or natural persons, is not to be regarded as a complaint.

(7) In order for a complaint concerning cross-border processing to be admissible, it should contain specified information. No information additional to that specified in this Regulation should be required for such a complaint to be admissible. Administrative modalities and requirements of admissibility for complaints under the national law of the supervisory authority with which a complaint has been lodged, such as language, statute of limitations, means of identification, electronic form, specific template or signature, continue to apply.

(8) The contact details of the person lodging the complaint could include a postal address, place of residence and, where available, an email address. The fact that a complainant is a natural person who is not in a position to exercise his or her right to lodge a complaint without the assistance of a legal representative, for example because he or she is a child or because he or she has a disability or vulnerability, and, therefore, exercises his or her rights through another person, such as a parent, legal guardian or family member, provided that such representation is permitted under national law, needs to be clearly identified at the point in time at which the complaint is lodged.

(9) Where the complaint is lodged by a not-for-profit body, organisation or association referred to in Article 80 of Regulation (EU) 2016/679, proof that the body, organisation or association has been properly constituted in accordance with the law of a Member State should be provided, together with the name and contact details of such body, organisation or association as well as proof that such body, organisation or association is acting on the basis of a mandate of the data subject. The modalities and procedures for such proof are determined in accordance with the law of the Member State of the supervisory authority with which the complaint has been lodged.

(10) The complainant should not be required to contact the party under investigation before lodging a complaint in order for that complaint to be admissible. Where the complaint relates to the exercise of a right of the data subject that relies on the data subject concerned making a request to the controller, that request should be made to the controller before the lodging of the complaint.

(11) The supervisory authority with which the complaint has been lodged should determine, by way of a preliminary conclusion, whether the complaint concerns cross-border processing, the supervisory authority presumed to be competent to act as lead supervisory authority in accordance with Article 56(1) of Regulation (EU) 2016/679, and whether Article 56(2) of that Regulation applies. Where an early resolution procedure has not been initiated, the supervisory authority with which the complaint has been lodged should transmit admissible complaints to the supervisory authority presumed to be competent to act as lead supervisory authority and inform the complainant thereof. The determination of admissibility of the complaint by the supervisory authority with which the complaint has been lodged should be binding on the lead supervisory authority.

(12) It is important that supervisory authorities facilitate the submission of all required information by the complainant, for example by providing templates or electronic forms, taking into account relevant guidance of the Board. Supervisory authorities can facilitate the submission of complaints in a user-friendly electronic format and bearing in mind the needs of persons with disabilities, as long as the information required from the complainant corresponds to the specified information required. No additional information should be required in order to find the complaint admissible.

(13) In order to facilitate the handling of a complaint, supervisory authorities should be able to request supplementary information from the complainant. Where some of the information necessary for a complaint to be deemed admissible is missing, the supervisory authority with which that complaint has been lodged could contact the complainant in order to obtain the missing information, where feasible. Where a complaint is inadmissible, the supervisory authority should declare it inadmissible and inform the complainant of the missing information within the deadline provided for by this Regulation, to allow that complainant to submit an admissible complaint.

(14) Where, following receipt of an admissible complaint concerning cross-border processing from a supervisory authority, the lead supervisory authority requires additional information from the complainant in order to allow for the full investigation of the complaint, the supervisory authority with which the complaint has been lodged should assist the lead supervisory authority, including by contacting the complainant to seek the required information if needed.

(15) Where the lead supervisory authority initiates an investigation on the basis of a complaint, the parties under investigation should be informed without delay about the lodging of that complaint and of its main elements. The provision of such information by the lead supervisory authority could however be postponed for as long as necessary to protect the integrity of the investigation and allow for the effective conduct of investigative measures.

(16) In order to guarantee the effective functioning of the cooperation and consistency mechanisms in Chapter VII of Regulation (EU) 2016/679, it is important that cases concerning cross-border processing be resolved in a timely manner and in line with the spirit of sincere and effective cooperation that underlies Article 60 of Regulation (EU) 2016/679. The lead supervisory authority should exercise its competence within a framework of close cooperation with the other supervisory authorities concerned. Likewise, supervisory authorities concerned should actively engage in an investigation at an early stage in an endeavour to reach consensus, making full use of the tools provided by Regulation (EU) 2016/679. It is important that the cooperation between supervisory authorities be based on open dialogue which allows supervisory authorities concerned to meaningfully impact the course of the investigation by sharing their experiences and views with the lead supervisory authority, with due regard for the margin of discretion enjoyed by each supervisory authority. Supervisory authorities should conduct procedures in an expedient and efficient manner and should cooperate with each other in a sincere and effective manner, including by providing support where necessary and responding to requests without delay.

(17) Supervisory authorities should decide on complaints within a reasonable timeframe. For this reason, this Regulation lays down time limits. What is a reasonable timeframe depends on the circumstances of each case and, in particular, its context, the various procedural steps followed by the lead supervisory authority, the conduct of the parties under investigation and the complainant in the course of the procedure and the complexity of the case. In order to effectively protect the fundamental rights and freedoms of data subjects in relation to the processing of personal data, it is important that complaints be handled in an efficient and expedient manner. Depending on the circumstances of a case, the time required to handle a complaint could be shorter than the time limit provided for in this Regulation. Efficient cooperation between the lead supervisory authority and the other supervisory authorities concerned can also have a positive impact on the expedient handling of cases.

(18) A complainant should have the possibility to communicate exclusively with the supervisory authority with which the complaint of that complainant has been lodged. That possibility does not prevent the complainant from communicating directly with another supervisory authority, including the lead supervisory authority.

(19) It is important to consider the personal data processed and the situation of the data subject, for example where a complaint relates to the processing of personal data of children.

(20) The lead supervisory authority should provide the supervisory authority with which the complaint has been lodged with the necessary information on the progress of the investigation for the purpose of providing updates to the complainant.

(21) In order for supervisory authorities to bring a swift end to infringements of Regulation (EU) 2016/679 and to deliver a quick resolution for complainants, supervisory authorities should endeavour, where appropriate, to resolve complaints through an early resolution procedure in accordance with this Regulation. For that purpose, the supervisory authority should establish whether the infringement alleged in the complaint has been brought to an end in a manner that renders the complaint devoid of purpose. Member States are not required to introduce new procedures under national law to allow their supervisory authorities to resolve a complaint through an early resolution procedure.

(22) A complaint should be resolved through an early resolution procedure only where the complainant has not submitted a timely objection to the finding that the alleged infringement has been brought to an end and that the complaint is therefore devoid of purpose. The early resolution of a complaint should therefore apply to cases where the complainant is duly able to assess the proposed outcome.

(23) The early resolution of a complaint can be particularly useful to expeditiously resolve complaints concerning infringements of the rights of the data subject under Chapter III of Regulation (EU) 2016/679 to the satisfaction of the complainant. That early resolution should allow the supervisory authority with which the complaint has been lodged or the lead supervisory authority to establish, on the basis of preliminary engagement with the controller and provided that supporting evidence has been obtained, that the complaint is devoid of purpose.

(24) The early resolution of a complaint through an early resolution procedure should be without prejudice to the exercise by the lead supervisory authority of its powers in accordance with Regulation (EU) 2016/679 on the same subject matter, for example in the case of systemic or repetitive infringements of that Regulation.

(25) Where the lead supervisory authority to which the complaint has been transmitted considers that a complaint can be resolved through an early resolution procedure, a draft decision pursuant to Article 60(3) of Regulation (EU) 2016/679 should be submitted to the other supervisory authorities concerned, with a view to adopting a final decision in accordance with Article 60(7) of Regulation (EU) 2016/679 establishing that the alleged infringement has been brought to an end and that the complaint, or part of the complaint, has been resolved by the lead supervisory authority. The draft decision submitted could therefore be simplified and limited to information that the complaint has been resolved, in whole or in part, through an early resolution procedure, indicating the reasons underlying the decision and the scope of the resolution, and confirming that the complaint is therefore devoid of purpose. In such cases, the lead supervisory authority should directly submit its draft decision to the other supervisory authorities concerned, without having to draft and circulate a summary of key issues or preliminary findings.

(26) Where the lead supervisory authority has formed a preliminary view on the main issues in an investigation, it should be possible for the lead supervisory authority to cooperate with the other supervisory authorities concerned through a simple cooperation procedure. The simple cooperation procedure should be applied on a case-by-case basis, provided that the lead supervisory authority considers that no reasonable doubt exists as to the scope of the investigation and that the legal and factual issues identified do not require additional cooperation that would be required for the purposes of a complex investigation, in particular where those issues can be addressed on the basis of the characteristics of the case and previous decisions in similar cases. In addition, it is important that existing case-law and guidelines adopted by the Board on the alleged infringements of Regulation (EU) 2016/679 to be investigated be also taken into account by the lead supervisory authority in considering that consensus on the main elements of a case is likely to be reached. In principle, the simple cooperation procedure does not apply where the case raises systemic or recurring problems in several Member States, concerns a general legal issue with regard to the interpretation, application or enforcement of Regulation (EU) 2016/679, is related to the intersection of data protection with other legal fields, affects a large number of data subjects in several Member States, or is related to a large number of complaints in several Member States or where there might be a high risk to the rights and freedoms of data subjects.

(27) Where the lead supervisory authority intends to apply the simple cooperation procedure, it should inform the other supervisory authorities concerned of its intention and provide all relevant information concerning the characteristics of the case and the complaint, including the main relevant facts and the alleged infringement to be investigated. Where the simple cooperation procedure is applied, the lead supervisory authority should continue cooperating with the other supervisory authorities concerned and submit a draft decision within the time limits provided for in this Regulation.

(28) Where a supervisory authority is required to take certain procedural steps within specified time limits, the purpose of those time limits is to ensure that the procedure progresses and concludes within a reasonable time. Those time limits do not preclude supervisory authorities from taking the required procedural steps after their expiry. It is therefore necessary to ensure that taking such procedural steps after the expiry of their corresponding time limits cannot be considered grounds for the illegality or invalidity of the procedural step in question or of the final decision.

(29) The lead supervisory authority should be able to extend the time limit for submitting a draft decision. Such extensions should be applied only on an exceptional basis due to the complexity of a case. The other supervisory authorities concerned should be informed and have the opportunity to submit objections to the extension, which should be taken into account by the lead supervisory authority when determining whether to apply an extension to the time limit and, where applicable, the duration of that extension.