From the list of issues, we have derived sixteen “core concepts”, which can provide solutions via high-level principles and rules.

Ideally, these concepts should be abstract enough to capture many problems, with a simple rule or principle that can be included in various provisions throughout the new Regulation.

When developing these principles, we have actively considered existing mechanisms in EU law, such as instruments in procedural rules, which seem to have many common features with GDPR procedures.

Concept 14: Clear deadlines, especially for LSAs

Currently most clear deadlines only apply to CSAs and the EDPB, leaving the LSA with very open deadlines like “without delay”. This leads to some LSAs taking up to four years to reach a “draft decision”, more than three years to even open an investigation, or taking more than half a year to e.g. trigger the Article 65 procedure after reasoned objections arrived. These loopholes need to be fixed to ensure that LSAs cannot undermine procedures just by delaying them. The fact that LSAs cannot be held to account for delays is also problematic for CSAs that must adhere to maximum durations for procedures nationally.

While the short deadlines of two or four weeks in Article 60 GDPR have proven to be unrealistic, a comparison by the EDPB largely found that SAs have to decide within three, six or twelve months in many Member States. These durations could be the baseline for deadlines in the Regulation. An option to prolong deadlines in cases of force majeure or in very complex cases (see above for the differentiation of minor/normal/major cases) could allow for necessary flexibility.