Since 25 May 2018, 642 procedures have been initiated to identify the Lead Supervisory Authority (SA) and the Concerned SAs in cross-border cases. Out of the 642 procedures, 306 are closed and the Lead SA identified. Up to now, no dispute arose on the selection of the Lead SA.
The total number of cases reported by SAs from 31 EEA countries is 206.326. Three different types of the cases can be distinguished, namely cases based on complaints, cases based on data breach notifications and other types of cases. The majority of the cases are related to complaints, notably 94.622 while 64.684 were initiated on the basis of data breach notification by the controller. 52 % of these cases have already been closed and 1 % of these cases challenged before national court.
SAs from 11 EEA countries have already imposed administrative fines according to Article 58.2 (i) GDPR. The total amount of the imposed fine is 55.955.871 EUR.
Nine months after the entry into application of the GDPR, the members of the EDPB are of the opinion that the GDPR works quite well in practice making use of the new way of cooperation including numerous daily exchanges. The One-Stop-Shop cases that have already led to an outcome tested some of the core principles of the GDPR and were resolved smoothly. So far, not a single cross-border case has been escalated to the EDPB level. Despite the increase in the number of cases in the last months, the SAs reported that the workload is manageable for the moment, in large part thanks to a thorough preparation during the past two years by SAs, the Article 29 Working Party and by the Board.