Data complaints doubled after GDPR: watchdog


Photo credit: Markus Spiske on Unsplash 

The grand duchy’s privacy watchdog has reported steep increases in the number of complaints and data breach reports since the introduction of the EU’s General Data Protection Regulation eight months ago.

A spokesman for the National Commission for Data Protection (CNPD), the body that enforces GDPR rules in Luxembourg, told Delano on 29 January that: “The CNPD has received 351 complaints since 25 May.” Just over half of complaints (193) were lodged after 28 September, meaning the number of grievances slowed slightly at the end of last year.

The CNPD spokesman reported that:

“In total, we have received 474 complaints in 2018 compared to 200 in 2017. 400 of these complaints came from citizens, while 74 were received by other supervisory authorities in the context of the EU cooperation system. (This is new since 25 May.)”

Organisations that hold personal data have reported to the CNPD, as they are required to under GDPR, an average of 24 data breaches a month. “Since 25 May, we have received 172 data breach notifications,” the spokesman stated.

According to CNPD figures published on 23 January, between 25 May and 31 December 2018:

  • 57% of data breaches were caused by internal errors
  • 27% were caused by external malicious activity
  • 7% were caused by internal malicious activity
  • 3% were caused by external errors

The most frequent causes of data breaches between 25 May and 31 December 2018 were:

  • Personal data mistakenly sent to the wrong person (49 incidents)
  • Hacking (34)
  • Providing personal data about the wrong person (21)
  • Involuntary publication (20)
  • Lost or stolen device (14)
  • Phishing (10)

The CNPD spokesman said the agency recorded a large increase in the number of inquiries that it has fielded from the public. “Information requests have also more than doubled. From 2017 to 2018, they went from 520 to 1,113,” he said.

In October, the spokesman said that information requests could include:

“people asking for advice on data protection issues (for example, about surveillance in the workplace, data protection officers, data breaches) or having legal questions (GDPR, national law).”

European figures

The European Commission released figures for 22 European countries on 25 January (PDF). EU data protection authorities reported 95,180 GDPR-related complaints from 25 May. The agencies logged 41,500 data breach notifications. There were also 255 cross-border cases.

However, the figures for the EU are incomplete, “as national complaints remain the responsibility of the Member States and they are not obligated to disclose these to us,” a spokeswoman for the European Data Protection Board, the umbrella outfits for EU data protection agencies, told Delano on 28 January.


According to the report:

“Several high level cases are ongoing and could cause fines up to 4% of the annual [turnover] of a business, if there is a serious infringement. So far three fines have been issued.”

These were:

  • In Germany, “a social network operator for failing to secure users’ data” was fined €20,000 in November 2018
  • In Austria, a “sports betting café for unlawful video surveillance” was fined €5,280 in September 2018
  • In France, “Google for lack of consent on ads” was fined €50m on 21 January 2019

The spokesman for Luxembourg’s data protection agency said: “The CNPD hasn’t issued any fines yet.”