Today marks five years since the entry into effect of the General Data Protection Regulation (GDPR) and data protection authorities from the EU have been reflecting on the past few years and discussing what is to come. A number of authorities have issued statements highlighting activity summaries and future plans to mark the occasion.

Denmark

The Danish data protection authority (Datatilsynet) issued, on May 25, 2023, a press release in commemoration of the GDPR's five-year anniversary, in which it stated that it will be celebrating the occasion in a new episode of its podcast, which will address:

• how the past five years of GDPR applicability have gone;
• what have been the biggest surprises in that regard;
• how compliance by companies and authorities is going; and
• expectations for the coming years. 

You can read the press release here and access the podcast episode here.

Germany

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) issued, on May 24, 2023, a statement to mark the GDPR's five-year anniversary, highlighting its participation to the joint discussion, on May 23, 2023, with the Bavarian data protection authority (BayLfD) and the European Data Protection Board (EDPB). The BfDI detailed that they, together with data protection officers (DPOs) and high-ranking representatives of EU bodies, made an interim assessment of the practical application of the GDPR.

The BfDI noted that all speakers emphasized the milestone character of the GDPR. In terms of enforcement of the GDPR, the BfDI emphasized that, while it was successfully implemented, further steps are needed to ensure broad and effective enforcement.

Separately, on May 25, 2023, the BfDI drew a positive conclusion on the past five years and mentioned the role model effect of the GDPR for other countries, such as Japan, South Korea, Israel, Brazil, and various US states. Regarding the future, the BfDI stated that it sees future challenges, particularly in the specific regulation of new technologies, such as artificial intelligence (AI).

You can read the press release, only available in German, here.

Bavaria

The BayLfD issued, on May 24, 2023, a statement to mark the GDPR's five-year anniversary, highlighting its participation in the joint discussion, on May 23, 2023, with the BfDI and the EDPB.

You can read the press release, only available in German, here.

Finland

On May 25, 2023, the Office of the Data Protection Ombudsman (the Ombudsman) published a statement to mark the five-year anniversary of the GDPR. The Ombudsman noted that the GDPR has improved people's data protection rights and brought to EU data protection authorities the means to deal with violations of data protection legislation. The Ombudsman outlined that, in 2022 alone, EU data protection authorities imposed 1,400 fines for GDPR violations.

You can read the press release, only available in Finnish, here.

Romania

On May 25, 2023, the National Supervisory Authority for Personal Data Processing (ANSPDCP) published a statement to mark the five-year anniversary of the GDPR. In addition, the ANSPDCP presented a summary of the most significant aspects of its activity during the first four months of 2023, outlining, among other things, that:

• the ANSPDCP received 1,565 complaints and notifications regarding security incidents;
• it opened 199 investigations;
• it imposed 36 fines on companies for a total amount of $77,175;
• it issued 40 warnings to companies; and
• it imposed 39 corrective measures on companies.

You can read the press release, only available in Romanian, here.

Italy

On May 25, 2023, the Italian data protection authority (Garante) issued a press release to celebrate the five-year anniversary of the GDPR. The Garante noted that the GDPR represented a radical change of approach to privacy by holding data controllers accountable. As a result, the Garante highlighted that privacy is no longer a formal obligation, but instead, it has become an integral and permanent part of the activities of companies and public administrations.

Pasquale Stanzione, President of the Garante, stated that the GDPR has revealed its strength by constantly balancing the most diverse individual and collective needs. According to Stanzione, with the GDPR, the EU offered its Member States, but also the world, a specific model of governance of innovation based on a sustainable balance between technology and freedom.

You can read the announcement, only available in Italian, here.

Baden-Württemberg

On May 25, 2023, the Baden-Württemberg data protection authority (LfDI Baden-Württemberg) issued a statement to celebrate the five-year anniversary of the GDPR. The LfDI Baden-Württemberg highlighted that, over the past five years, the GDPR strengthened the fundamental right to data protection in various ways, whilst also making a significant contribution to safeguarding the democratic legal and economic order across all Member States, as well as to enabling sustainable digitization.

You can read the press release, only available in German, here.

Ireland

On May 25, 2023, the Data Protection Commission (DPC) published a press release celebrating the five-year anniversary of the GDPR by releasing a podcast on children's data protection rights and translating their Annual Report 2022 into four languages. These initiatives aim to highlight the DPC's work and make information more accessible.

You can read the press release here.

Slovakia

On May 25, 2023, the Office for the Protection of Personal Data for the Slovak Republic (ÚOOÚ) issued a press release to commemorate the five-year anniversary of the GDPR. The ÚOOÚ emphasized the growing awareness and interest among the general public and experts regarding data protection and privacy rights. Moreover, the ÚOOÚ acknowledged the need for flexibility in regulations to address the diverse situations that arise in data processing.

In addition, the ÚOOÚ released the methodological guidelines on the topic of monitoring individuals through camera devices on residential properties. In particular, the guidelines aim to assist individuals in making informed decisions about the installation and use of camera devices in their homes while considering the provisions of the GDPR and other relevant laws.

You can read the press release here and the guidelines here, both only available in Slovak.