Cross-Border Complaints

Cross-Border Complaints Statistical Report Published by DPC: Data Privacy Trends

I love it when one resource can lead to two stories! Especially on a travel day!  🙂  Yesterday, I discussed how the Data Protection Commission (DPC) fined Meta €17m ($18.77m) for its infringement of GDPR. At the bottom of that announcement was a link to another announcement that the DPC (also on March 15th) published a statistical report on the DPC’s handling of cross-border complaints under the GDPR’s One-Stop-Shop (OSS) mechanism.

The 25-page report is available here. But here are a few summary highlights of the report, which illustrates that in the period May 25, 2018 (when GDPR went into effect) to December 31, 2021:

  • 1,150 valid cross-border complaints have been received by the DPC; 969 (84%) as lead supervisory authority (LSA) and 181 (16%) as a concerned supervisory authority (CSA).
  • 588 (61%) of those complaints were handled by the DPC as the LSA were originally lodged with another supervisory authority and transferred to the DPC.
  • 65% of all cross-border complaints handled by the DPC as the LSA since May 2018 have been concluded, with 82% of those received in 2018 and 75% in 2019 now concluded.
  • Of the 634 concluded complaints handled by the DPC as the LSA, 544 (86%) were resolved through amicable resolution in the interests of the complainant.
  • 72 (22%) open cross-border complaints are linked to an inquiry and will be concluded on the finalization of the inquiry. Not surprisingly, a large number of the remaining open complaints from 2018 and 2019 are linked to an inquiry.
  • 86% of all cross-border complaints handled by the DPC as the LSA relate to just 10 data controllers.
  • 38% of complaints transferred by the DPC to other EU/EEA LSAs (excluding the UK) have been concluded.

That second to last bullet point is particularly interesting. Wonder who the 10 are? Take some guesses, then go to page 15 of the report for the answers. The top data controller has almost three times the number of complaints as the second-place data controller and (hint!) I covered them yesterday. 😉


So, what do you think of the DPC’s report? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Leave a Reply