New procedural regulation for cross-border data protection complaints
On 12 December 2025, a new EU procedural regulation was published with the aim of accelerating and streamlining the enforcement of the GDPR in cross-border cases. The previous system for handling cross-border complaints often resulted in lengthy and opaque proceedings, increasing both costs and legal uncertainty for organisations and individuals alike.
A key element is the harmonisation of admissibility criteria for complaints across Member States and the strengthening of the procedural rights of the parties, including the right to comment on key evidence and preliminary findings.
The Regulation sets binding deadlines for the handling of cross-border cases, including a 15-month timeframe, with the possibility of a one-off extension of up to 12 months in exceptionally complex cases. It also introduces an “early resolution” mechanism, allowing proceedings to be closed where the infringement has been remedied and the complaint has become moot, while preserving procedural safeguards for the complainant.
The new procedural rules will become fully applicable as of 2 April 2027.
DMA and GDPR – Joint Guidelines of the EDPB and the Commission
On 9 October 2025, the European Data Protection Board (EDPB) and the European Commission published joint guidelines clarifying obligations under the Digital Markets Act (DMA) and the GDPR.
The purpose of the guidelines is to ensure a consistent interpretation of both instruments and to provide legal certainty for so-called gatekeepers (large digital platforms such as Meta, Google and Apple), which are required to comply with the DMA while at the same time respecting the principles of the GDPR. A key message of the joint guidelines is that both regulations apply in parallel, and that the DMA does not replace the GDPR nor does it introduce a new legal basis for the processing of personal data.
The main topics addressed by the guidelines include:
- requirements for valid user consent under Article 5(2) DMA and the GDPR, enabling gatekeepers to lawfully combine or cross-use personal data across core platform services;
- the obligation to offer a “less personalised but equivalent” version of the service;
- the determination of legal bases for processing and their limitations;
- interoperability (the obligation for gatekeepers to technically enable the interconnection of their services with others) and the requirement to carry out data protection impact assessments (DPIAs);
- coordination of supervision between the European Commission and national supervisory authorities.
The joint guidelines confirm that the DMA and the GDPR complement rather than replace each other, and that the protection of personal data remains a non-negotiable boundary, even in the context of compliance with digital regulation.
The guidelines have been published as a draft for consultation, with comments accepted until 4 December 2025. The final version is expected to be published in 2026.
EDPB Opinion on the Adequacy of the UK
In October 2025, the EDPB adopted two opinions on the European Commission’s proposal to extend the UK adequacy decisions (under the GDPR and the Law Enforcement Directive – LED). The Commission proposes to extend the validity of the adequacy decisions for a further six years, i.e. until 27 December 2031.
The EDPB concluded that the UK legal framework continues, in essence, to be aligned with the EU framework and that personal data may therefore continue to be transferred without the need for additional safeguards. At the same time, however, it identified several areas in which future developments in UK law should be closely monitored. These include in particular the new UK test for transfers of personal data to third countries based on the criterion that the level of protection must not be “materially lower”, a more permissive approach to automated decision-making and potential limitations on the right to human review, as well as the expansion of exemptions from certain data protection principles in the context of national security and law enforcement. The Commission will need to take these aspects into account in its final decision and ensure their consistent and ongoing monitoring.
Coordinated Enforcement Action 2026
The EDPB has selected compliance with transparency and information obligations towards data subjects as the topic of its fifth coordinated enforcement action, which will take place in 2026.
Supervisory authorities in the individual Member States will focus on assessing whether controllers comply with the requirements set out in Articles 12, 13 and 14 GDPR, and whether they properly inform individuals about the processing of their personal data.
The results of the national investigations will subsequently be aggregated into a joint report, which may serve as a basis for further targeted enforcement measures. This action forms a key part of the EDPB’s long-term strategy for 2024–2027 and follows previous coordinated actions focusing on the use of cloud services by the public sector, the role of data protection officers, the right of access, and the currently ongoing assessment of the right to erasure.
EDPS Guidelines on AI Risk Management
On 11 November 2025, the European Data Protection Supervisor (EDPS) issued new guidelines on the identification and mitigation of risks associated with the development, procurement and operation of artificial intelligence systems. The primary objective of these guidelines is to help identify and mitigate risks to individuals’ fundamental rights arising from the processing of personal data through AI systems. The guidelines focus on technical measures to ensure compliance with key data protection principles, namely fairness, accuracy, data minimisation and security.
The EDPS emphasises the importance of the interpretability and explainability of AI systems as a prerequisite for meeting other legal obligations and highlights the heightened risks associated with the use of so-called black-box models. In relation to fairness, the guidelines address the elimination of bias arising both from data and from algorithm design, which may lead to discriminatory outcomes. With regard to accuracy, the EDPS draws attention, inter alia, to hallucinations in generative models and to the risk of data drift (i.e. the degradation of data quality over time). A significant part of the guidelines is also devoted to security threats, including model inversion attacks (where training data can be reconstructed from model outputs), as well as the practical difficulties associated with the exercise of data subject rights.
The guidelines shift the focus from formal GDPR compliance to active and continuous risk management of AI systems. In practice, this means that the deployment of artificial intelligence is not a one-off step, but a continuous process requiring systematic documentation, technical controls and regular assessments of impacts on fundamental rights. Controllers must assess explainability, data quality, security and the practical enforceability of data subject rights already at the stage of selecting or procuring AI systems, ensure these requirements contractually and technically, and continuously monitor risks such as hallucinations, bias or data drift. Responsibility for compliance with legal requirements remains with the controller at all times, not with the AI provider.
Digital Legal Update 01/2026 here.