GDPR in numbers

A year after the enter into force of the General Data Protection Regulation (GDPR) we have collected data from sixteen Data Protection Authorities (DPAs) regarding complaints received, number of data breach notifications and fines imposed, among other data.
No. 4, 11 June 2019 – GDPR anniversary edition Issue

Happy birthday GDPR!

One year after the enter into force of the General Data Protection Regulation (GDPR) we are thrilled to present you the collected data we obtained from sixteen Data Protection Authorities (DPAs). We will update the information provided on this table with more information from DPAs in the following days as we follow up with the DPAs who did not send us the information yet.

Countries covered in this edition

For this edition, we were able to obtain comprehensive data on DPA activity from fifteen DPAs . Unfortunately, despite having contacted all the DAPs members of the European Data Protection Board (EDPB), not all of them have been able to provide us with the requested figures.

The charts below present statistical data provided by the DPAs from Cyprus, Estonia**, Finland, Germany, Greece, Iceland, Ireland, Latvia, Lithuania, Luxembourg, Poland, Portugal, Romania, Slovenia, Spain and Sweden.

The reference dates for the data we requested were 25 May 2018 – 15 May 2019 and what we asked for were:

  • the number of complaints received by the DPA,
  • the number of proceedings initiated on the own initiative of the DPA,
  • the number of data breach notifications,
  • the number of proceedings terminated by a decision,
  • the amounts of fines imposed,
  • the number of codes of conduct (submitted or approved)

Time to publish EU Data regularly and with comparative figures?

We have asked in the past the European Data Protection Board (EDPB) to develop protocols which require and explain how national DPAs should publicly report specifically comparable figures at frequent and regular intervals. Unfortunately this has not happened yet.

The numbers show that since the GDPR entered into force an important number of complaints have been filed across the EU and that despite the GDPR not being the “sanctioning-machine” feared by data-intensive companies, many DPAs have enforced fines when needed. Paradoxically, the DPA where most tech business are based (Ireland) has not yet imposed a fine following any of the investigations. This has raised some concerns regarding lack of general enforcement of the GDPR.

Putting the number in context

During the first year after the enter into application put the German regional DPAs as the busiest of all the authorities from which we had data. On the other hand, Portugal is the leader regarding own-initiative cases (those which are not initiated by a private individual or organisation) and it has terminated less cases than Spain. In terms of fines, Germany has taken the lead in our chart with almost 500000€ , but that is only due to the lack of data from the french authority, who has issue the largest fine so far (50 million €).

According to the data we obtained. Poland, Sweden, Greece and Slovenia are the only DAPs that have approved or submitted codes of conduct under the GDPR.

So, again, can we make public data publicly available?

In order to be able to monitor the correct implementation of the GDPR publishing public data is crucial. As we said in the past, the availability of evidence regarding the impact of GDPR on businesses, organisations and individuals make



Cyprus : figures gathered by Homo Digitalis

Estonia: figures gathered by EDRi

Finland : figures gathered by EDRi **

Germany: figures* gathered by Jens Kubieziel and CCC

*partial figures relating only to a number of regional DPAs data available

Greece : figures gathered by Homo Digitalis

Iceland : figures gathered by EDRi

Ireland: figures gathered from Ireland’s Data Protection Commission

Latvia : figures gathered by EDRi

Lithuania: figures gathered by EDRi **

Luxembourg : figures gathered by Frënn vun der Ënn A.S.B.L.

Poland: figures gathered by Panoptykon Foundation

Portugal: figures gathered by EDRi

Romania : figures gathered by APTI

Slovenia : figures gathered by EDRi

Spain : figures gathered by EDRi

Sweden:  figures gathered by Data Skydd

** Added after publication


The number of complaints submitted to the DPAs. Lawsuits filed with courts are not included.

Proceedings initiated on the own initiative

Breach notifications

The number of data breach notifications submitted to Data Protection Authorities by businesses or other organisations, pursuant to Article 33 of the GDPR.

Proceedings terminated by a decision

Amount of fines (in EUR)

Codes of Conduct (approved or submitted)