A recent survey in a EU member state shows that in 89% of cases that led to a decision of the sanctioning authority started with a complaint by a dissatisfied customer, (former) employee, competitor, … Only 8% was the result of a spontaneous investigation by the authority and 3% started due to a privacy leak that was further investigated revealing other violations.

The investigation often starts with disputes resulting from everyday actions such as, information in a customer loyalty program, a visible email addresses in a bulk email, personal email to a professional email address, the failure to close accounts by a previous employer, keeping applicant data, a promo mailing, being added to a whatsapp group and even a fight between neighbors…

In short GDPR exposure is mainly caused by citizens who complain, rather than by any autonomous action of the authority.