Skip to content
Guidance · EDPB ·on-resources-made-available-by-member-states-to-0 EN LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this document. Contains: this document’s text, its sections with their topics, and the full text of every law provision it applies. Everything links back to its source on overview.legal — legal information, not advice.

Overview on resources made available by Member States to the Data Protection Supervisory Authorities

Summary

Overview on resources made available by Member States to the Data Protection Supervisory Authorities 5 September 2022 2 BACKGROUND The European Data Protection Board (EDPB) gathered some statistics on resources made available by Member States to the supervisory authorities (SAs) from the European Economic Area (EEA). In the past, the EDPB already gathered similar information in the context of: - A Report in 2019 about the GDPR implementation made at the request of the LIBE Committee 1 , - The…

How it connects

Full text

Overview on resources made available by Member States to the Data Protection Supervisory Authorities 5 September 2022 2 BACKGROUND The European Data Protection Board (EDPB) gathered some statistics on resources made available by Member States to the supervisory authorities (SAs) from the European Economic Area (EEA). In the past, the EDPB already gathered similar information in the context of: - A Report in 2019 about the GDPR implementation made at the request of the LIBE Committee 1 , - The contribution of the GDPR evaluation made in 2020 at the request of the European Commission 2 , and - A Report in 2021 on resources made available by Member States to SAs and on enforcement actions by SAs made at the request of the LIBE Committee 3 . 1. RESOURCES MADE AVAILABLE BY MEMBER STATES TO SUPERVISORY AUTHORITIES Financial Resources The graphics below provide information about the budget made available to the EEA SAs in 2020, 2021 and 2022. The budgets of SAs have to be interpreted in light of possible differences in the scope of competences, activities, and financial responsibilities at national level. The comments provided with the graphics were made by the SAs. 1 First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities, 26 February 2019, https://edpb.europa.eu/sites/default/files/files/file1/19_2019_edpb_written_report_to_libe_en.pdf . 2 Contribution of the EDPB to the evaluation of the GDPR under Article 97, adopted on 18 February 2020 https://edpb.europa.eu/sites/default/files/files/file1/edpb_contributiongdprevaluation_20200218.pdf . 3 Overview on resources made available by Member States to the Data Protection Authorities and on enforcement actions by the Data Protection Authorities, 5 August 2021, https://edpb.europa.eu/system/files/2021- 08/edpb_report_2021_overviewsaressourcesandenforcement_v3_en_0.pdf . 3 CZ : the budget of the Czech Republic SA covers more tasks conferred on the authority by the national legislation. Consequently, the budget provided here includes also these tasks not relating directly to the GDPR. DE : budget for all of the 18 supervisory authorities in Germany. DK : the budget also covers the tasks as supervisory authority according to national legislation on video surveillance, credit information and debt recovery. Furthermore, from 2022 the budget also covers the task as external reporting channel under the Whistleblower Directive 4 . FR : the French SA's budget is divided as follows: 82% for staff costs and 16% for operating costs. SE : the budget also covers the tasks as supervisory authority according to national legislation on video surveillance, credit information and debt recovery. 4 The figure for 2020 in this graph is different from the one provided for the same period in the Overview on resources published in August 2021 ( https://edpb.europa.eu/system/files/2021- 08/edpb_report_2021_overviewsaressourcesandenforcement_v3_en_0.pdf ). In the 2021 overview, the figure was the amount actually spent in 2020, while the figure provided in this 2022 overview is the amount granted for 2020. 4 EE : the Estonian Data Protection Inspectorate’s budget covers both GDPR and Freedom of Information matters. LT : there are two GDPR supervisory authorities in Lithuania. In 2022, he State Data Protection Inspectorate has a budget of €1.505.000, the Office of the Inspector of Journalistic Ethics (IJE), who is responsible only for supervision when personal data are processed for the purposes of journalistic, academic, artistic or literary purposes, has a budget of €130.200 for the activities related to monitoring compliance with GDPR. The previous figures published by the EDPB for 2020 and 2021 5 also included budget for the IJE for non-GDPR tasks. In addition, the salaries of the staff are too low compared to the salaries of the private sector in the same field. The Lithuanian SA lack also budget for the development of an IT system to perform its regulatory activities. LV : the salaries of the staff are too low compared to the salaries of the private sector in the same field. 5 See https://edpb.europa.eu/system/files/2021- 08/edpb_report_2021_overviewsaressourcesandenforcement_v3_en_0.pdf . 5 An important majority of SAs explicitly states that they do not have enough resources, while some SAs consider they have enough financial resources at this stage. AT : this is due mainly to a recent significant increase in the number of complaints lodged with the Austrian SA. BG : the Bulgarian SA would need more budget to conduct on-site inspections and to participate more in joint cooperation activities. ES : the Spanish SA needs more resources to deal with cooperation procedures, to handle the increased number of complaints and to face increasing new tasks due to EU regulatory developments. FR : The French SA needs more resources to develop information systems, to increase its national and European communication, to deal with the growing number of complaints and to deal with the new tasks related to the evolutions of the European regulation. SE : the Swedish SA requested a gradual increase in their annual budget during 2023 – 2025 for a total of 5.8 M€. 6 2. HUMAN RESOURCES General overview The graphics below provide information about the human resources made available to the EEA SAs in 2020, 2021 and 2022. The numbers shown indicate the number of approved posts, and not the actual number of employees working in the supervisory authorities. These resources have to be interpreted in light of possible differences in the scope of competences, activities, and financial responsibilities at national level. DE : Combined number of approved posts for all of the 18 supervisory authorities in Germany. FR : 45 additional posts were created between 2020 and 2022 in order to deal with the increase in the French SA's activity, mainly for the processing of complaints and on-site inspections. IT : the SA currently has 139 staff members but the Italian national law provides for 200 FTEs. 61 posts have still to be filled. NL : the SA currently has 167 staff members, but this is preliminary as the total number of staff should increase up to 212 FTEs in 2022. 7 CY : the Cypriot SA employed 26 officers in 2022, but three were transferred to other public services. Replacement is ongoing. CZ : the Czech Republic SA has also tasks not relating directly to the GDPR, conferred on it by the national legislation. Consequently, the number of FTEs provided here is the one dedicated also to these non-GDPR tasks. EE : only 16 positions are currently fulfilled, due to a lack of financial resources. LT : there are two Supervisory Authorities in Lithuania. The State Data Protection Inspectorate has 52 employees and the Office of the Inspector of Journalistic Ethics (IJE) has 4 employees responsible for monitoring the compliance with the GDPR. The previous figures published by the EDPB for 2020 and 2021 6 also included number of staff working in the IJE for non-GDPR tasks. The Centralised Audit Division of the Ministry of Justice pointed out in the conclusion in 2021 that the State Data Protection Inspectorate need 32 additional posts, however number of new posts allocated to the Inspectorate was increased only by 14 posts. SK : the number of staff decreased in 2021 compared to 2020 and did not increase in 2022. According to the Slovakian SA, the situation is currently very critical. 6 See https://edpb.europa.eu/system/files/2021- 08/edpb_report_2021_overviewsaressourcesandenforcement_v3_en_0.pdf . 8 A vast majority of SAs have explicitly stated that they do not have enough human resources, while some SAs consider they have enough resources at this stage. AT : this is due mainly to a recent significant increase in the number of complaints lodged with the Austrian SA BE : the Belgian SA considers that to perform its mission, there is a need of 10 more FTEs in 2022, 15 in 2023 and 25 in 2024. BG : the Bulgarian SA considers that to perform its mission, there is a need to increase with more than 1/3 of the existing staff members, especially for the complaint-handling experts. DE : the German SAs need more staff to be able to act more proactively, to conduct investigations and to be able to conduct further examination of the complaints or breach notifications as only a basic processing of them is currently possible. Additional staff is also needed for education, information and consultation services. EE : the staff turnover has been above 30 % over the past two years due to workload and salaries (and that it is not competitive in comparison to other public authorities). FR : the French SA needs more staff to contribute more effectively to the GDPR cooperation and consistency procedures. Additional staff is also needed for education and to conduct more investigations, especially linked to complaints and security breaches. NL : the Dutch SA needs more FTEs, notably to handle complaints, data breach notifications, approval of BCRs, investigations, provide advices.

Similar Content