Cyprus  

The Office of the Commissioner for Personal Data Protection ('the Commissioner') issued, on 25 May 2020, a statement in light of the second anniversary of the General Data Protection Regulation (EU) 2016/679) ('GDPR'). In particular, the Commissioner highlighted that, since the implementation of the GDPR, the Commissioner has handled 740 complaints, 207 of which concerned unwanted direct marketing, 125 data breach notifications, 24 Data Protection Impact Assessments ('DPIA') submitted for prior consultation, and 25 investigations. In addition, the Commissioner noted that it had issued 39 decisions, imposed administrative fines totalling €154,100, and has been involved in 218 cases on a cross-border level, either as a chief or interested authority. 

You can read the statement, only available in Greek, here.

Hamburg 

The Hamburg State Commissioner for Data Protection and Freedom of Information ('HmbBfDI') issued, on 22 May 2020, a statement in light of the two-year anniversary of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the HmbBfDI encouraged individuals to make use of their rights provided for in the GDPR and emerging privacy compliant options. However, the HmbBfDI also highlighted that the implementation of the GDPR and specifically the procedures still contain challenges. In addition, the HmbBfDI stated that the One-Stop-Shop procedure would lead to the reallocation of responsibilities to only a few data protection authorities, especially with regards to global companies. Furthermore, the HmbBfDI suggested the implementation of improvements to the One-Stop-Shop procedure. 

You can read the statement, only available in German, here.  

Rhineland-Palatinate 

The Rhineland-Palatinate data protection authority ('LfDI Rhineland-Palatinate') issued, on 22 May, a statement in light of the two-year anniversary of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the LfDI Rhineland-Palatinate provided statistics on the amount of fines it issued since the entry into force of the GDPR, highlighting that it has issued nine fines of a total amount of €155,000. Moreover, the LfDI Rhineland-Palatinate stated that the highest fine issued was €105,000 and was based on deficits regarding the management of sensitive patient data. Moreover, the LfDI Rhineland-Palatinate highlighted that, in 2018, 105 data breaches were notified, in 2019 the number rose to 319 and that in the first months of 2020, already 200 data breaches had been notified.  

You can read the statement, only available in German, here. 

Brandenburg 

The Brandenburg data protection authority ('Brandenburg LDA') issued, on 25 May 2020, a statement in light of the two-year anniversary of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the Brandenburg LDA highlighted that the GDPR has strengthened citizens' privacy rights and that the European-wide application means greater legal certainty and predictability, especially for companies. Moreover, the Brandenburg LDA stated that the German Data Protection Conference made suggestions for improvements in detail but pointed out that two years may be too early to fully assess the success of the data protection reform and revise the text of the GDPR. Finally, the Brandenburg LDA stated that much will depend on what regulations the European legislator will make regarding confidentiality in electronic communications. 

You can read the statement, only available in German, here. 

Greece 

The Hellenic Data Protection Authority ('HDPA') issued, on 25 May 2020, a statement on the two-year anniversary of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the HDPA noted that, in the period between 25 May 2018 and 24 May 2020, the total fines imposed by the HDPA amounted to €1,565,000 and that the HDPA has completed, since the entry into force of the GDPR, 896 cases and has investigated 1,100 complaints. In addition, the HDPA outlined issues they face in light of the COVID-19 ('Coronavirus') crisis, including the launch of tracing apps, and the need to safeguard the public interest while protecting personal data and privacy.  

You can download the statement, only available in Greek, here.

Latvia

The Data Protection Inspectorate ('DVI') issued, on 25 May 2020, a statement on the two-year anniversary of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the DVI provided, among other things, statistics of the DVI's enforcement activity, guidance on the processing of personal data through video surveillance, and information about the absence of an obligation to register the processing of personal data with the DVI. More specifically, with respect to its enforcement activity, the DVI noted that in the first four months of 2020 it has initiated 17 new investigations, and that complaints often concern video surveillance, social networking and online activities, direct marketing communications, and exercise of data subject rights. 

You can read the statement, only available in Latvian, here. 

Romania

The National Supervisory Authority for Personal Data Processing ('ANSPDCP') issued, on 25 May 2020, a statement on the two-year anniversary of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the ANSPDCP noted that, after the adoption of the national GDPR implementing law in 2018, they have monitored compliance with the GDPR with respect to both the public and the private sector. In addition, the ANSPDCP highlighted that it aims to diversify its actions to promote the rules surrounding personal data processing. 

You can read the statement, only available in Romanian, here. 

Guernsey

The Office of the Data Protection Authority ('ODPA') published, on 24 May 2020, a Blog ('the Blog') on the context and aim of the General Data Protection Regulation (EU) 2016/679) ('GDPR'), in light of GDPR's two-year anniversary. In particular, the Blog outlines, among other things, the main innovations in the GDPR and the Data Protection (Bailiwick of Guernsey) Law 2017 ('the Law'), which include the incorporation of the principle of purpose limitation, the notion of consent, and the right to be forgotten. In addition, the Blog makes reference to ODPA's 2019-2022 strategic plan which stresses the positive approach that the ODPA takes in assisting and advising the regulated community, and highlights that the success of the GDPR and the Law will be measured, not in the number of fines imposed, but rather in changes in the culture and behaviour of everyone involved.

You can read the press release here and the Blog here.

Belgium

The Data Protection Authority ('DPA') issued, on 25 May 2020, statistics related to its activity in 2019 as the second year with the GDPR in operation. In particular, the DPA outlined that it had received 351 complaints, issued 128 opinions on draft legislation, and 937 data breach notifications. Furthermore, the Belgian DPA highlighted that it had led more than 100 investigations since 25 May 2019, noting the upcoming conclusion of a large-scale investigation into cookie management by popular websites and a shift from a reactive strategy to a proactive strategy. In addition, the DPA indicated that its Litigation Chamber had issued 59 penalties, of which nine were fines totalling the amount of €189,000. 

You can read the press release in Dutch here and French here. 

Lithuania 

The State Data Protection Inspectorate ('VDAI') issued, on 25 May 2020, a statement on the two-year anniversary of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the VDAI outlined its enforcement activity related to the implementation of the GDPR and noted the need for improvement in light of the use of the Internet of Things and artificial intelligence, and the increasing use of the digital space during the COVID-19 ('Coronavirus') pandemic. More specifically, the VDAI stated that in the two years following the GDPR entry into force, it has issued 121 reprimands and nine fines of which most were mostly related to data subject rights and the failure of companies to comply with the VDAI's recommendations.  

You can read the statement, only available in Lithuanian, here.