From the list of issues, we have derived sixteen “core concepts”, which can provide solutions via high-level principles and rules.

Ideally, these concepts should be abstract enough to capture many problems, with a simple rule or principle that can be included in various provisions throughout the new Regulation.

When developing these principles, we have actively considered existing mechanisms in EU law, such as instruments in procedural rules, which seem to have many common features with GDPR procedures.

Concept 9: Defining the steps of complaints procedures

Especially in complaints procedures, where the filing CSA and the LSA may have to deal with at least two parties, it seems that the initial procedure (e.g. defining the LSA, sending the case, the LSA accepting the referred case, forwarding the complaint to the controller or processor) should be defined and have a clear structure, at least up to the first exchange of positions by the parties.

It seems reasonable that the CSA and LSA would agree on the necessary steps in the investigation after such a first exchange and, for example: define the scope of the investigation; the need for evidence; or the need for further material law clarifications. Such a structure could ensure that jurisdictional issues are clarified, other problems are identified early enough and the CSA must be included in the procedure. This should limit the need to deal with such disagreements via the Article 65 procedure.


  • Ensures that at least the initial steps of a complaints procedure are done in a uniform way.
  • Ensures that LSAs and CSAs agree on the necessary procedural steps early.


  • European rules may interfere with traditional ways of dealing with complaints in Member States. As authorities usually have a lot of leeway on how to structure procedures, such rules should usually not conflict with any national legal obligations.