The first overview on the implementation of the GDPR and the roles and means
of the national supervisory authorities has been published by the European Data Protection Board (EDPB)
Since 25 May 2018, 642 procedures have been initiated to identify the Lead Supervisory Authority (SA) and the Concerned SAs in cross-border cases. Out of the 642 procedures, 306 are closed and the Lead
Up to now, no dispute arose on the selection of the Lead SA.
The total number of cases reported by SAs from 31 EEA countries is 206.326. Three different
types of the cases can be distinguished, namely cases based on complaints, cases based on data breach notifications and other types of cases. The majority of the cases are related to complaints, notably 94.622 while 64.684 were initiated on the basis of data breach notification by the controller. 52 % of these cases have already been closed and 1 % of these cases challenged before national court.
SAs from 11 EEA countries have already imposed administrative fines according to Article 58.2 (i) GDPR. The total amount of the imposed fine is 55.955.871 EUR.
Nine months after the entry into application of the GDPR, the members of the EDPB are of
the opinion that the GDPR works quite well in practice making use of the new way of
cooperation including numerous daily exchanges. The One-Stop-Shop cases that have already
led to an outcome tested some of the core principles of the GDPR and were resolved
smoothly. So far, not a single cross-border case has been escalated to the EDPB level.
Despite the increase in the number of cases in the last months, the SAs reported that the
workload is manageable for the moment, in large part thanks to a thorough preparation
during the past two years by SAs, the Article 29 Working Party and by the Board.