From the list of issues, we have derived sixteen “core concepts”, which can provide solutions via high-level principles and rules.

Ideally, these concepts should be abstract enough to capture many problems, with a simple rule or principle that can be included in various provisions throughout the new Regulation.

When developing these principles, we have actively considered existing mechanisms in EU law, such as instruments in procedural rules, which seem to have many common features with GDPR procedures.

Concept 15: Transparency and accountability

There are currently very different statistics provided by SAs on how they enforce the GDPR, usually in annual reports. In addition, while some SAs publish all or most decisions (e.g. Spain), others do not publish decisions (e.g. Germany). Some Member States see the publication of a decision as an additional penalty. This leads to a lack of legal certainty for controllers, processors and data subjects, as there is virtually no case law in some Member States. The publication of decisions is also an element of general deterrence, as DPOs and other decision makers get clear evidence of what may lead to consequences.


  • Consistent European rules on yearly statistics and the publication of decisions could ensure that the public accountability of SAs, legal certainty and deterrence is increased.


  • These requirements may lead to more bureaucratic workload for SAs. However, most statistics are already published in annual reports – a common format should not increase the workload dramatically. Equally, certain limitations on the publication of decisions (e.g. only in relevant cases) may limit the workloads.
  • There may be legitimate reasons why parties may not want their cases to be published. It would be possible to allow Member States certain discretion to, for example, follow the national traditions on publications, such as redacting names or facts to overcome these reservations.