GDPR compliance remains murky

Since the 25 May 2018 launch of the EU's General Data Protection Regulation (GDPR), which provides for a uniform set of data protection rules directly applicable in all EU member states, supervisory authorities have leveled "effective, proportionate and dissuasive" fines when uncovering processing activity that has been non-compliant with the regulation. But there has been no consensus across the EU on reporting non-compliance and fines.

There is almost unanimous agreement that concise reporting on non-compliance and fines across the EU would be an asset. Depending on the nature of an infringement, a fine could amount to up to EUR 20 million or 4% of a business's total annual worldwide turnover for the preceding financial year. (In fact, the alignment of data protection fines with those of antitrust law could, from a German point of view, be one of the most remarkable innovations of the GDPR.)

GDPR after one year

Across the EU, businesses and public institutions appear to be making the same mistakes when running afoul of the GDPR. In a nutshell, the following activities are among the most frequently sanctioned under the regulation:

  • inadequate response to data-subject requests (e.g. for access, deletion or information);
  • illegal video surveillance (Dashcam and CCTV);
  • unlawful data processing (of former customers);
  • violations of confidentiality (disclosure of the data to unauthorised recipients;
  • lack of both information and transparency; and
  • insufficient security measures (technical and organisational measures).

This first year of the GDPR regime revealed a mixed picture of assessing fines by the various authorities. Despite surprisingly positive figures overall (fewer fines have been issued than many expected), companies are advised not to underestimate future data protection enforcement. According to several German authorities, this first year's focus has been on advising the public, companies and data subjects. From now on, however, the authorities stress that they will be increasing enforcement activities. The number of cases is expected to increase in Germany and some fines will certainly expand to millions of Euros.

Lack of a uniform fine-publication system

After the first year of the GDPR's application, it has become painfully clear that data protection supervisory authorities in member states do not have a uniform approach to whether and how their decisions are made available to the public.

While data protection supervisory authorities in EU member states such as Austria, UK and Bulgaria usually publish their decisions after they have been anonymised, this approach is uncommon in Germany. In fact, the 18 German data protection supervisory authorities (one per federal state, two in Bavaria and the federal authority) have not agreed upon a mutual practice. Hence, an EU-wide consensus for public reporting does not seem likely.

Private sector steps up to provide an EEA-wide up-to-date overview

Because anyone wishing to get an overview of GDPR fines will encounter difficulties, the business and legal communities have risen to the challenge and attempted to collect and collate data on GDPR infringements: all in an effort to assist European business and public sector in its transition to the new GDPR regime.

In Germany, several surveys were launched, which have collected data on over 100 GDPR fines (for details in German, click here). Although valuable tools, most of these surveys lack detailed background information on the cases. A group of lawyers in CMS Germany, realising the general need for up-to-date and detailed information on GDPR reporting, are maintaining a list at, which was created to be a comprehensive EU-wide source on GDPR fines which have become publicly known.

More tools are likely to follow as the private sector struggles to come to terms with the lack of official reporting on GDPR supervision.

Most GDPR specialists agree that exact reporting on GDPR infringement will assist the business community across the Union in its efforts to both fully understand and comply with this regulation. For the present, this must is clear.

Companies should continue their efforts to ensure technical and organisational security for their data, comply fully with transparency requirements and respond to all enquiries from data subjects in a timely and appropriate manner. In regard to data requests, it is highly recommended that companies develop adequate procedures to clarify areas of responsibility and data gathering processes so that all requests are answered as quickly as possible. Once a request is on the table, the clock is ticking and speed and efficiency in responding are of the essence.