Happy birthday GDPR!
One year after the enter into force of the General Data Protection Regulation (GDPR) we are thrilled to present you the collected data we obtained from sixteen Data Protection Authorities (DPAs). We will update the information provided on this table with more information from DPAs in the following days as we follow up with the DPAs who did not send us the information yet.
Countries covered in this edition
For this edition, we were able to obtain comprehensive data on DPA activity from fifteen DPAs . Unfortunately, despite having contacted all the DAPs members of the European Data Protection Board (EDPB), not all of them have been able to provide us with the requested figures.
The charts below present statistical data provided by the DPAs from Cyprus, Estonia**, Finland, Germany, Greece, Iceland, Ireland, Latvia, Lithuania, Luxembourg, Poland, Portugal, Romania, Slovenia, Spain and Sweden.
The reference dates for the data we requested were 25 May 2018 – 15 May 2019 and what we asked for were:
- the number of complaints received by the DPA,
- the number of proceedings initiated on the own initiative of the DPA,
- the number of data breach notifications,
- the number of proceedings terminated by a decision,
- the amounts of fines imposed,
- the number of codes of conduct (submitted or approved)
Time to publish EU Data regularly and with comparative figures?
We have asked in the past the European Data Protection Board (EDPB) to develop protocols which require and explain how national DPAs should publicly report specifically comparable figures at frequent and regular intervals. Unfortunately this has not happened yet.
The numbers show that since the GDPR entered into force an important number of complaints have been filed across the EU and that despite the GDPR not being the “sanctioning-machine” feared by data-intensive companies, many DPAs have enforced fines when needed. Paradoxically, the DPA where most tech business are based (Ireland) has not yet imposed a fine following any of the investigations. This has raised some concerns regarding lack of general enforcement of the GDPR.
Putting the number in context
During the first year after the enter into application put the German regional DPAs as the busiest of all the authorities from which we had data. On the other hand, Portugal is the leader regarding own-initiative cases (those which are not initiated by a private individual or organisation) and it has terminated less cases than Spain. In terms of fines, Germany has taken the lead in our chart with almost 500000€ , but that is only due to the lack of data from the french authority, who has issue the largest fine so far (50 million €).
According to the data we obtained. Poland, Sweden, Greece and Slovenia are the only DAPs that have approved or submitted codes of conduct under the GDPR.
So, again, can we make public data publicly available?
In order to be able to monitor the correct implementation of the GDPR publishing public data is crucial. As we said in the past, the availability of evidence regarding the impact of GDPR on businesses, organisations and individuals make
DETAILS CONCERNING DATA COLLECTION IN INDIVIDUAL COUNTRIES
Cyprus : figures gathered by Homo Digitalis
Estonia: figures gathered by EDRi
Finland : figures gathered by EDRi **
Germany: figures* gathered by Jens Kubieziel and CCC
*partial figures relating only to a number of regional DPAs data available
Greece : figures gathered by Homo Digitalis
Iceland : figures gathered by EDRi
Ireland: figures gathered from Ireland’s Data Protection Commission
Latvia : figures gathered by EDRi
Lithuania: figures gathered by EDRi **
Luxembourg : figures gathered by Frënn vun der Ënn A.S.B.L.
Poland: figures gathered by Panoptykon Foundation
Portugal: figures gathered by EDRi
Romania : figures gathered by APTI
Slovenia : figures gathered by EDRi
Spain : figures gathered by EDRi
Sweden: figures gathered by Data Skydd
** Added after publication