Earlier this month, the European Data Protection Board (EDPB) published a report on the resources that the EU Member States make available to their Data Protection Authorities (DPA) and on the enforcement actions initiated by those DPAs.
Resources made available by the EU Member States to the DPAs
The EDPB report releases statistics on both financial and human resources that the EU Member States provide to the authorities at Member State level responsible for monitoring compliance with data protection laws. As is typical for statistical data, the numbers published by the EDPB should be interpreted in light of possible differences in the competences, activities and financial responsibilities of the DPAs at Member State level.
The following is particularly noteworthy:
- The eighteen German supervisory authorities have received – by far – the highest budget of all DPAs in the EU, with a combined budget of € 94.793.900 in 2021.
- Only 18% of the DPAs considers the allocated overall budget sufficient to carry out their supervisory activities.
- Only 14% of the DPAs considers the allocated human resources sufficient to carry out their supervisory activities.
- The majority of DPA staff has a legal background (with a few exceptions).
National and cross-border enforcement cases
Furthermore, the report provides statistics on national and cross-border enforcement cases initiated by the DPAs. In addition to the total number of enforcement cases, the report mentions:
- The number of cases based on data subject complaints lodged with the DPAs.
- The number of ex officio investigations initiated by the DPAs.
- The number of cases resulting from data breach notifications.
- Information regarding the exercise of the DPAs’ corrective powers, including the total number of cases where DPAs executed their corrective powers, the total amount of fines per year per DPA, the total number of decisions with a fine per DPA, the number of decisions with a fine per year and per DPA, and the largest fine issued thus far.
- The total number of decisions with a fine subject to judicial appeal, as well as the related court decision. It appears that the majority of appealed DPA decisions were confirmed by the courts (with a few exceptions).
- The average time for the DPAs to formally decide on a case (in months). This timeframe varies between two and twenty-six months. In general the time to decide on cross-border enforcement cases subject to a DPA cooperation procedure tends to be longer than the time needed to decide on cases that are limited to one EU Member State.
Finally, for each EU Member State, the report also provides information on the applicable legal deadlines to handle data subject complaints, the procedural rights of complainants and controllers, and the existing costs to appeal decisions under Article 78 GDPR.
EDPB, Overview on resources made available by Member States to the Data Protection Authorities and on enforcement actions by the Data Protection Authorities, adopted on 5 August 2021.
The report is available here: https://edpb.europa.eu/system/files/2021-08/edpb_report_2021_overviewsaressourcesandenforcement_v3_en_0.pdf.