The European Data Protection Board (EDPB) has published a survey of European Economic Area (EEA) regulators setting out General Data Protection Regulation (GDPR) enforcement trends. The report makes for interesting reading. It sets out how:

  • the GDPR’s “one stop shop” mechanism has been bedding down; and
  • the number of data subject complaints and data breach notifications have increased since GDPR came into force.

What do the statistics show?

During GDPR’s first year, the EDPB case register logged 446 cross-border cases. 205 of these (46 per cent) have been dealt with under the one stop shop procedure. The one stop shop is designed to enable companies that process the personal data of people in more than one EEA state to deal with a single EEA regulator. This regulator is known as a company’s lead supervisory authority (LSA). An LSA must be identified by a company in its EU place of central administration.

Most EEA regulators have seen significant increases in the number of complaints received from data subjects and data breach notifications submitted by companies. More than 144,000 queries and complaints have been made by individuals. Over 89,000 data breach notifications have been made by companies. The increase in queries and complaints substantiate the EDPB’s findings that data protection awareness is on the rise across Europe. The EDPB’s research found that 67 per cent of EU citizens have heard of GDPR. This is an increase of 20 per cent when compared to 2015.

The one stop shop: what’s in it for companies?

As highlighted in our recent article about GDPR’s first year, companies involved in cross-border personal data processing should prioritise identifying their LSA. Knowing your LSA at a time of crisis – for example, a pan-EEA personal data breach – is important. It will save you time and money and massively reduce your administrative burden. Instead of having to deal with upwards of 45 EEA regulators, you only have to liaise with your LSA. Your LSA will coordinate its investigation and response with other regulators, if necessary. Personal data breaches are difficult enough to respond to without having to coordinate responses for an impossibly large number of regulators.


The past year has been challenging for privacy professionals. It has been a year of increased privacy and data protection awareness. The statistics published by the EDPB are a helpful snapshot. They provide quantitative proof that privacy and data protection are more prominent now than they ever have been. The EDPB’s stated intention is to continue to listen to and cooperate with people and businesses involved in daily data processing. GDPR’s year two will, most likely, involve ever greater cooperation between regulators. Companies should take note and plan accordingly.