GDPR investigation – Must-Know Stats and Takeaways


A recent survey in a EU member state shows that in 89% of cases that led to a decision of the sanctioning authority started with a complaint by a dissatisfied customer, (former) employee, competitor, …
Only 8% was the result of a spontaneous GDPR investigation by the authority and 3% started due to a privacy leak that was further investigated revealing other violations.

GDPR investigation – how it starts

Hence, the GDPR investigation often starts with disputes resulting from everyday actions. Such as, information in a customer loyalty program, a visible email addresses in a bulk email, personal email to a professional email address, the failure to close accounts by a previous employer, keeping applicant data, a promo mailing, being added to a WhatsApp group and even a fight between neighbours…

In short, GDPR exposure is mainly caused by citizens who complain, rather than by any autonomous action of the authority.


Check our post about GDPR Compliance checklist for the SME.

Wondering if your privacy policy is GDPR Compliant? We encourage you to perform a quick and free GDPR compliance scan of your privacy policy, simply paste in the link to your privacy policy web page here in our Privacy Policy Checker, and see where you stand with GDPR compliance efforts.