On February 26, 2019, the European Data Protection Board (the “EDPB”) presented its first overview of the GDPR’s implementation and the roles and means of the national supervisory authorities to the European Parliament (the “Overview”).
The Overview provides key statistics relating to the consistency mechanism among national data protection authorities (“DPAs”), the cooperation mechanism of the EDPB, the means and powers of the DPAs and enforcement of the GDPR at the national level.
Key takeaways and statistics from the report include:
- 642 procedures have been initiated to identify the lead DPA and concerned DPAs in cross-border cases. 306 of these procedures have concluded with the lead supervisory authority identified.
- 30 different DPAs have registered a total of 281 cases with cross-border components in the Internal Market Information system– an IT system that provides a method of information sharing among supervisory authorities. The main topics of these cases relate to the exercise of individual rights, consumer rights and data breaches.
- 45 one-stop-shop procedures were initiated by DPAs from 14 different EEA countries — 23 cases are currently at the informal consultation stage, 16 are at the draft decision stage and 6 cases have been finalized.
- 444 mutual assistance requests, both formal and informal, have been triggered by DPAs from 18 different EEA countries.
- The EDPB has adopted 28 consistency opinions regarding the national lists of processing subject to a data protection impact assessment.
- The EDPB also has adopted a consistency opinion on a draft administrative arrangement for the transfer of personal data between financial supervisory authorities.
- The EDPB is currently working on further consistency opinions and procedures relating to the interplay between the GDPR and the ePrivacy Directive, binding corporate rules and a draft standard contract between data controllers and data processors.
Budget and Human Resources
- 23 DPAs reported an increase in their regulatory budgets for 2018-2019.
- Three DPAs reported no increase in budget while two DPAs reported a decrease.
- With respect to human resources, 17 DPAs reported an increase in headcount for 2018-2019, while eight reported no change and one DPA reported a decrease in personnel.
Implementation and Enforcement of the GDPR at National Level
- The total number of cases reported by DPAs from 31 EEA countries totaled 206,326 with 94,622 of these comprising complaints and 64,684 initiated on the basis of data breach notification by controllers.
- 52% of the above cases have concluded while 1% are being challenged before national courts.
- DPAs from 11 EEA countries reported imposing administrative fines under the GDPR totaling €55,955,871.
The Overview concludes by noting that members of the EDPB view the GDPR as working well in practice and that the workload of DPAs is manageable due to thorough preparation for the GDPR over the past two years.