Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: GDPR five-year anniversary, DPAs issue statements 

Today marks five years since the entry into effect of the General Data Protection Regulation (GDPR) and data protection authorities from the EU have been reflecting on the past few years and discussing what is to come. A number of authorities have issued statements highlighting activity summaries and future plans to mark the occasion.

Denmark

The Danish data protection authority (Datatilsynet) issued, on May 25, 2023, a press release in commemoration of the GDPR's five-year anniversary, in which it stated that it will be celebrating the occasion in a new episode of its podcast, which will address:

  • how the past five years of GDPR applicability have gone;
  • what have been the biggest surprises in that regard;
  • how compliance by companies and authorities is going; and
  • expectations for the coming years. 

You can read the press release here and access the podcast episode here.

Germany

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) issued, on May 24, 2023, a statement to mark the GDPR's five-year anniversary, highlighting its participation to the joint discussion, on May 23, 2023, with the Bavarian data protection authority (BayLfD) and the European Data Protection Board (EDPB). The BfDI detailed that they, together with data protection officers (DPOs) and high-ranking representatives of EU bodies, made an interim assessment of the practical application of the GDPR.

The BfDI noted that all speakers emphasized the milestone character of the GDPR. In terms of enforcement of the GDPR, the BfDI emphasized that, while it was successfully implemented, further steps are needed to ensure broad and effective enforcement.

Separately, on May 25, 2023, the BfDI drew a positive conclusion on the past five years and mentioned the role model effect of the GDPR for other countries, such as Japan, South Korea, Israel, Brazil, and various US states. Regarding the future, the BfDI stated that it sees future challenges, particularly in the specific regulation of new technologies, such as artificial intelligence (AI).

You can read the press release, only available in German, here.

Bavaria

The BayLfD issued, on May 24, 2023, a statement to mark the GDPR's five-year anniversary, highlighting its participation in the joint discussion, on May 23, 2023, with the BfDI and the EDPB.

You can read the press release, only available in German, here.

Finland

On May 25, 2023, the Office of the Data Protection Ombudsman (the Ombudsman) published a statement to mark the five-year anniversary of the GDPR. The Ombudsman noted that the GDPR has improved people's data protection rights and brought to EU data protection authorities the means to deal with violations of data protection legislation. The Ombudsman outlined that, in 2022 alone, EU data protection authorities imposed 1,400 fines for GDPR violations.

You can read the press release, only available in Finnish, here.

Romania

On May 25, 2023, the National Supervisory Authority for Personal Data Processing (ANSPDCP) published a statement to mark the five-year anniversary of the GDPR. In addition, the ANSPDCP presented a summary of the most significant aspects of its activity during the first four months of 2023, outlining, among other things, that:

  • the ANSPDCP received 1,565 complaints and notifications regarding security incidents;
  • it opened 199 investigations;
  • it imposed 36 fines on companies for a total amount of $77,175;
  • it issued 40 warnings to companies; and
  • it imposed 39 corrective measures on companies.

You can read the press release, only available in Romanian, here.

Italy

On May 25, 2023, the Italian data protection authority (Garante) issued a press release to celebrate the five-year anniversary of the GDPR. The Garante noted that the GDPR represented a radical change of approach to privacy by holding data controllers accountable. As a result, the Garante highlighted that privacy is no longer a formal obligation, but instead, it has become an integral and permanent part of the activities of companies and public administrations.

Pasquale Stanzione, President of the Garante, stated that the GDPR has revealed its strength by constantly balancing the most diverse individual and collective needs. According to Stanzione, with the GDPR, the EU offered its Member States, but also the world, a specific model of governance of innovation based on a sustainable balance between technology and freedom.

You can read the announcement, only available in Italian, here.

Baden-Württemberg

On May 25, 2023, the Baden-Württemberg data protection authority (LfDI Baden-Württemberg) issued a statement to celebrate the five-year anniversary of the GDPR. The LfDI Baden-Württemberg highlighted that, over the past five years, the GDPR strengthened the fundamental right to data protection in various ways, whilst also making a significant contribution to safeguarding the democratic legal and economic order across all Member States, as well as to enabling sustainable digitization.

You can read the press release, only available in German, here.

Ireland

On May 25, 2023, the Data Protection Commission (DPC) published a press release celebrating the five-year anniversary of the GDPR by releasing a podcast on children's data protection rights and translating their Annual Report 2022 into four languages. These initiatives aim to highlight the DPC's work and make information more accessible.

You can read the press release here.

Slovakia

On May 25, 2023, the Office for the Protection of Personal Data for the Slovak Republic (ÚOOÚ) issued a press release to commemorate the five-year anniversary of the GDPR. The ÚOOÚ emphasized the growing awareness and interest among the general public and experts regarding data protection and privacy rights. Moreover, the ÚOOÚ acknowledged the need for flexibility in regulations to address the diverse situations that arise in data processing.

In addition, the ÚOOÚ released the methodological guidelines on the topic of monitoring individuals through camera devices on residential properties. In particular, the guidelines aim to assist individuals in making informed decisions about the installation and use of camera devices in their homes while considering the provisions of the GDPR and other relevant laws.

You can read the press release here and the guidelines here, both only available in Slovak.

Germany

On May 25, 2023, the German Data Protection Conference (DSK) issued a statement to celebrate the five-year anniversary of the GDPR. The DSK highlighted achievements regarding raising awareness on the rights of access, rectification, and deletion of personal data across the EU, as well as pointing to the supervisory authorities' work in handling complaints.

Further, the DSK considered the concept of a uniform data protection law as a model for success, with the EDPB acting as an important body to provide assistance in interpreting the law. However, the DSK stated that it is not entirely satisfied with the implementation of the principles of Data Protection by Design and by Default according to Article 25 of the GDPR.

You can read the press release, only available in German, here.

Poland

On May 25, 2023, the Polish data protection authority (UODO) issued a statement in commemoration of the five-year anniversary of the GDPR. The UODO highlighted that the GDPR has marked a revolution in data protection, noting that:

  • the awareness of the rights of persons whose data is processed has significantly increased; and
  • controllers have shifted their approach to personal data protection from a one-time activity approach, such as standard technical safeguards, to a more process-driven approach whereby controllers take an active role in constantly analyzing risks associated with data processing, testing of security measures, and whether certain data is necessary to achieve specific goals.

You can read the press release, only available in Polish, here.

Cyprus

On May 25, 2023, the Office of the Commissioner for Personal Data Protection (the Commissioner) issued a statement to mark the GDPR's five-year anniversary. In particular, the Commissioner noted that during the five years, it handled 397 data breach notifications and 2,178 complaints, of which 651 were related to spam. The Commissioner also issued 224 decisions, imposed administrative fines totaling €1,445,600, carried out audits (on-site/website audits/questionnaires sent), as well as impact assessments, among other things.

Furthermore, the Commissioner confirmed it is intensifying efforts to consolidate and maintain the culture of data protection.

You can read the press release, only available in Greek, here.