This statistic shows the views as to whether general data protection regulation (GDPR) has been a good thing for European consumers. 60 percent of the respondents agreed that GDPR has been a good thing for European consumers. This statistic addresses one of the biggest myths in the European tech ecosystem.

Abstract

The General Data Protection Regulation (GDPR) stands as one of the most significant legal frameworks for data protection and privacy in recent years. Enforced by the European Union (EU) since May 2018, the GDPR has garnered global attention due to its wide-reaching impact on businesses, organizations, and individuals, transcending geographical boundaries. While initially conceived to safeguard the data rights of EU citizens, its influence extends far beyond EU member states… See the full description on the dataset page: https://huggingface.co/datasets/AndreaSimeri/GDPR.

Between 2018 and 2022, there has been a significant increase in the level of awareness around the General Data Protection Regulation (GDPR) among European users. In 2018, when the GDPR was first applied, the United Kingdom had the highest level of awareness, with 32 percent of respondents agreeing or strongly agreeing with the statement: "I am aware of the new General Data Protection Regulation (GDPR) that will be introduced in May 2018". In 2022, the share of UK respondents agreeing with the statement increased to 73 percent. France had the lowest level of awareness in 2018, 20 percent, whereas in 2022 it reached 47 percent but remained the lowest among other European markets.

Introduction

GDPR Statistics: ​In 2024, enforcement of the General Data Protection Regulation (GDPR) intensified across Europe, resulting in significant financial penalties for non-compliance. The Irish Data Protection Commission (DPC) imposed a €310 million fine on LinkedIn for processing personal data without a proper legal basis.

Similarly, Uber faced a €290 million penalty from the Dutch Data Protection Authority for unlawfully transferring European drivers' personal data to the United States. Meta Platforms Ireland Limited was fined €251 million by the Irish DPC due to a 2018 data breach affecting millions of user accounts. Collectively, GDPR fines in 2024 totaled approximately €1.2 billion, marking a 33% decrease from the previous year.

Since the regulation's inception in 2018, cumulative fines have reached €5.88 billion. These figures underscore the ongoing commitment of European authorities to uphold data privacy standards and the substantial financial risks organizations face for non-compliance.

This graph shows the results of a survey about the future GDPR impact on M&A due diligence in 2018, by region. In the EMEA area, 63 percent of European professionals involved in M&A transactions believed that by 2022 the General Data Protection regulation will increase acquirers’ scrutiny of the data protection policies and processes of target companies.

Exploiting the timing and territorial scope of the European Union’s General Data Protection Regulation (GDPR), this paper examines how privacy regulation shaped the financial performance of companies across 31 countries and 22 industries. Con- trolling for firm and country-industry-year unobserved characteristics, we compare the outcomes of firms at different levels of exposure to EU markets, before and af- ter the enforcement of the GDPR in 2018. We find that enhanced data protection had the unintended consequence of harming the profitability of companies targeting European consumers, primarily through the cost channel. Digital technology firms exposed to the regulation experienced a 2.1% decline in profits, but not in sales. We bolster these findings by showing that the GDPR increased extra expenses, added to firms wage bills, and accelerated patenting in GDPR-related technology fields.

Since the enforcement of the General Data Protection Regulation (GDPR) in May 2018, fines have been issued for several types of violations. As of February 2025, the most significant share of penalties was due to companies' non-compliance with general data processing principles. This violation has led to over 2.4 billion euros worth of fines.

Contracts concluded between the Controller and the Processor pursuant to Act No. 18/2018 Coll. and General Data Protection Regulation — GDPR

The General Data Protection Regulation (GDPR) provides, since 25 May 2018, for the mandatory designation of a Data Protection Officer (DPO) in public services and, under certain conditions, by companies and associations.

The delegate — also known as the Data Protection Officer (DPO) — is responsible for ensuring GDPR compliance with the processing of personal data of the body that designated him or her. Internal or external, the delegate may also be appointed on behalf of several bodies.

To ensure the effectiveness of his/her tasks, the delegate shall:

— must have specific professional qualities and knowledge; — must benefit from material and organisational resources, resources and positioning enabling it to carry out its tasks effectively and independently.

To learn more about the role of delegate: https://www.cnil.fr/fr/devenir-delegue-la-protection-des-donnees.

In accordance with the applicable texts, the CNIL shall publish in an open and easily reusable format the name and professional contact details of the bodies that have appointed a Data Protection Officer, as well as the means of contacting the Data Protection Officer.

** Warning 1:** The published data, including the public contact details of delegates, are extracted from the designations of delegates as received by the CNIL via its dedicated teleservice. Any delegate may request the modification of the contact details published directly to the CNIL’s Data Protection Officers Service.

** Warning 2:** Any re-use of published data which would have the nature of personal data (telephone number, e-mail address, etc.) presupposes, on the part of the re-user, verification of the full fulfilment of his/her obligations under the GDPR, in particular in terms of informing the delegates concerned and respecting their other rights as defined by the European Regulation. Otherwise, the re-user would in particular be exposed to the penalties provided for in the GDPR.

Since the entry into force of the General Data Protection Regulation (GDPR), on 25 May 2018, only digital processing of the most sensitive personal data must be subject to prior formalities with the CNIL.

These formalities may take the form of simplified declarations (declarations of conformity with a reference framework proposed by the CNIL), requests for an opinion (for the sovereign activities of the State) or applications for authorisation (in the field of health). To find out more: cnil.fr.

In accordance with the amended Data Protection Act (Article 36), the CNIL keeps available to the public the list of these formalities in an open and easily reusable format, known as “List article 36”.

** Warnings:**

1/The published data are the result of the prior formalities completed, since May 25, 2018, by the controllers of personal data processing at the CNIL, via its dedicated teleservices. The CNIL cannot be held responsible for their content.

2/The processing carried out on behalf of the State may not appear in the dataset, the formalities having been completed in the form of requests for an opinion on a draft regulatory act (decree or decree) not submitted via the teleservices mentioned. The information relating to these treatments is available on Legifrance, the opinion of the CNIL being published with the act authorising the treatment (to access the deliberations of the CNIL: https://www.legifrance.gouv.fr/initRechExpCnil.do). In addition, some important treatments are subject to fiches on the CNIL website.

3/Exceptionally exempted from the publication of the regulatory act authorising them (decree or decree) are not included in the published data set, in accordance with article 36 of the amended Data Protection Act. The treatments referred to in Article 30 I and II may be exempted, by decree in the Council of State, from the publication of the regulatory act which authorises them. These treatments are mentioned in Decree n°2007-914 of 15 May 2007.

Since the entry into force of the General Data Protection Regulation (GDPR), on 25 May 2018, only digital processing of the most sensitive personal data must be subject to prior formalities with the CNIL. These formalities may take the form of simplified declarations (declarations of conformity with a reference framework proposed by the CNIL), requests for an opinion (for the sovereign activities of the State) or applications for authorisation (in the field of health). To find out more: cnil.fr. In accordance with the amended Data Protection Act (Article 36), the CNIL keeps available to the public the list of these formalities in an open and easily reusable format, known as “List article 36”. ** Warnings:** 1/The published data are the result of the prior formalities completed, since May 25, 2018, by the controllers of personal data processing at the CNIL, via its dedicated teleservices. The CNIL cannot be held responsible for their content. 2/The processing carried out on behalf of the State may not appear in the dataset, the formalities having been completed in the form of requests for an opinion on a draft regulatory act (decree or decree) not submitted via the teleservices mentioned. The information relating to these treatments is available on Legifrance, the opinion of the CNIL being published with the act authorising the treatment (to access the deliberations of the CNIL: https://www.legifrance.gouv.fr/initRechExpCnil.do). In addition, some important treatments are subject to fiches on the CNIL website. 3/Exceptionally exempted from the publication of the regulatory act authorising them (decree or decree) are not included in the published data set, in accordance with article 36 of the amended Data Protection Act. The treatments referred to in Article 30 I and II may be exempted, by decree in the Council of State, from the publication of the regulatory act which authorises them. These treatments are mentioned in Decree n°2007-914 of 15 May 2007.

This chart depicts the share of most popular websites with privacy policies before and after GDPR in the European Union 2018, by country. Because of the GDPR regulation, the share of websites with privacy policies was higher in October 2018 than it was in December 2017. The country with the greatest difference was Latvia with 15.7 percentage points.

Since the enforcement of the General Data Protection Regulation (GDPR) in May 2018, Ireland has reported the highest amount of fines issued for violation of the regulation, over **** billion euros. Luxembourg ranked second, with around *** million euros, while France followed, issuing ****** million euros of fines for GDPR violations.

There is no description available for this dataset.

Questions about GDPR? Ecommerce managers everywhere are wondering how their online business will be affected by the General Data Protection Regulation. It is set to become law in the European Union (EU) on May 25, 2018. But your business isn’t headquartered in the EU? GDPR requirements will govern the way you interact with EU customers […]

Prior to the entry into force of the General Data Protection Regulation (GDPR) on 25 May 2018, the Data Protection Correspondent (CIL) was responsible for ensuring compliance with the Data Protection Act within the company, group, association or administration that had designated it.

This designation was optional.

The CNIL publishes the list of private and public bodies that wished to engage in a compliance process by designating a CIL prior to the establishment, by the GDPR, of the DPO.

The statistic illustrates the result of a survey with regard to the main issues faced by Italian companies while complying the GDPR (General data protection Regulation) in Italy in 2018. By farm the biggest issue was the difficult in mapping the data, opinion shared by more than half of the companies interviewed. The scarce awareness of the employees was the second problem, while the poor sponsorship of the management came third.

The goal of this study was to measure the attitudes towards data sharing and data-collecting organizations before and after the introduction of the EU General Data Protection regulations (GDPR) among people in Germany. The data come from a three-wave split-panel web survey among people 18 years and older in Germany who were recruited from a German nonprobability online panel. In April 2018 (before the GDPR came into effect), 2,095 participants completed the Wave 1 questionnaire on device ownership, social media use, trust in different data collecting organizations, willingness to share data, general trust, awareness of and knowledge about the GDPR, and privacy concerns. In July and in October 2018 (after the GDPR came into effect), respondents from the earlier waves were invited to participate in a second and a third web survey that repeated most of the questions from the first wave. In addition to participants from the earlier waves, fresh respondents were also invited to Waves 2 and 3. A total of 2,046 (Wave 2) and 2,117 (Wave 3) respondents completed the questionnaire in the subsequent waves. 1,269 participated in all three waves.

Topics:

Wave 1

Possession of smartphone, mobile phone, PC, tablet and/or e-book reader; social media use: account with user name and password at selected providers (Google, Facebook, Twitter, LinkedIn, Xing); trust in institutions (Google, Facebook, Bundesamt für Statistik, Universitätsforscher) with regard to the protection of personal data and reasons for this assessment; probability scale with regard to the protection of personal data at the above-mentioned institutions and reasons for this assessment; agreement with the import of personal data of the social insurance institutions to the survey data; general personal trust; awareness of the EU General Data Protection regulations (GDPR) ; knowledge test: goals of the GDPR (open); feeling of invaded privacy by the following institutions: Google, Facebook, government agencies, university researchers; general privacy concerns.

Wave 2

Possession of smartphone, mobile phone, PC, tablet and/or e-book reader; social media use: account with user name and password with selected providers (Google, Facebook, Twitter, LinkedIn, Xing); trust in institutions (Google, Facebook, Federal Statistical Office, university researchers) with regard to the protection of personal data; general personal trust; awareness of the EU General Data Protection regulations (GDPR); knowledge test: goals of the GDPR (open); consent to the storage of various personal data by Facebook or Google (name, e-mail address, home address, date of birth, telephone number, income, marital status, number of children, current location, Internet browser history, account names from other social media and data received from third parties); feeling of invasion of privacy by the following institutions: Google, Facebook, government agencies, university researchers; general privacy concerns.

Wave 3

Possession of smartphone, mobile phone, PC, tablet and/or e-book reader; social media use: account with user name and password at selected providers (Google, Facebook, Twitter, LinkedIn, Xing); trust in institutions (Google, Facebook, Federal Statistical Office, university researchers) with regard to the protection of personal data; general personal trust; awareness of the EU General Data Protection regulations (GDPR); knowledge test: goals of the GDPR (open); concerns about privacy in general; comprehensibility of excerpts of the contents of the EU General Data Protection regulations (GDPR) (resp. on passenger rights in the event of denied boarding and flight delays); estimated popularity of smartphones (proportion of smartphone owners per 100 adult Germans); repetition of the question on trust data collecting organisations (Google, Facebook) with regard to the protection of personal data and general personal trust; readiness for data exchange by Google (or Facebook or the Federal Statistical Office) for research purposes (or for commercial purposes).

Demography: sex; age (year of birth); federal state; school education; professional qualification.

Additionally coded was: running number; respondent ID; experimental groups GDPR Info; duration (reaction time in seconds); used device type to complete the questionnaire.

The questionnaire also included two experiments, one on the effect of GDPR-related information on trust in data collecting organisations and one on the comfort of data shar...

The General Data Protection Regulation (GDPR) Solutions market has emerged as a crucial segment in the realm of data privacy and protection, particularly as organizations across the globe strive to comply with stringent European Union regulations. The GDPR, implemented in 2018, set a high standard for data privacy,

To verify compliance with the Data Protection Act (and the GDPR since 25 May 2018), the CNIL has the option of controlling files recording personal data.

This control may be exercised:

• on site (on the premises of the person responsible for the file);

• on convocation (on CNIL premises);

• on documents (request for documents);

• and, since 2014, online (website monitoring).

Eight datasets are published:

1. number and types of checks carried out each year since 1990 (csv and xls);

2. lists of checks carried out, by year, from 2014 to 2022 (csv and xls).