A European Commission Statement says that Data Protection Authorities (DPAs) across Europe received 95,180 complaints regarding the mishandling of personal data and companies reported a record number of 41,502 data breaches since the General Data Protection Regulation (GDPR) was enacted on 25 May 2018.

According to the GDPR provisions, businesses have the obligation to report data breaches to their national DPA in under 72 hours if personal data of European citizens is unlawfully or accidentally disclosed.

Following the 95,180 complaints introduced by both individuals and organizations mandated by individuals since the enactment of the GDPR, a number of 255 investigations were initiated by national Data Protection Authorities.

41,502 data breaches reported by companies since 25 May 2018

It is important to mention though that out of those, a couple of dozen GDPR investigations were also initiated outside the scope of the complaints advanced by individuals.

Moreover, European Commission's statistics say that the most common types of GDPR complaints were related to telemarketing, promotional e-mails, and to video surveillance/CCTV, which were found to violate multiple provisions.

European Commission's joint statement said that:

We are already beginning to see the positive effects of the new rules. Citizens have become more conscious of the importance of data protection and of their rights. And they are now exercising these rights, as national Data Protection Authorities see in their daily work. They have by now received more than 95,000 complaints from citizens.

As reported by Cisco in its Data Privacy Benchmark Study, companies which closely follow the requirements of the GDPR experience benefits such as lower frequency and effect of data breaches, as well as shorter downtimes, fewer records being impacted by the attacks, and lower overall costs.

Furthermore, as found out by Cisco, country GDPR-readiness was between 42% to 76%, with the European countries involved in the survey (i.e., France, Germany, Italy, Spain, UK) unsurprisingly scoring a lot higher on the scale when compared to countries from other continents.

GDPR readiness by country

As an example of GDPR being used to protect the personal data and privacy of European citizens, the Commission Nationale de l’informatique et des Libertés (CNIL) slapped Google with a €50 million fine on January 21 for not obtaining user consent for processing data for ads personalization purposes and for violating transparency and information obligations.

Google-owned YouTube is also the target of a GDPR complaint filed by NOYB for "right to access" violations described in GDPR's Article 15, with a possible maximum penalty that could reach €3.87 Billion according to the NGO, with Amazon, Apple, DAZN, Spotify, SoundCloud, Flimmit, and Netflix also being targeted by GDPR complaints related to the same reasons.

Acxiom, Oracle, Criteo, Quantcast, Tapad, Equifax, and Experian were also subjects of a GDPR complaint filed by user rights group Privacy International because they were collecting the data of millions to create user profiles.