Following two years of low activity, 2021 saw a reinforcement in privacy and data protection enforcement across the EU. This included high-profile cases against companies such as Amazon, Facebook, and WhatsApp. In 2022, organisations should expect increased and stricter enforcement.

Regulators are no longer limited to investigating data breaches and are expanding their focus to challenge organisations' legal basis for processing data, cross border data flows, use of cookies and digital marketing, use of sensitive health and financial information, etc. In fact, in a resolution of March 25 2021, the European Parliament expressly calls on the data protection authorities to strengthen the enforcement for data protection violations and make full use of the possibilities in the GDPR to impose fines use other corrective measures.

The Portuguese Data Protection Authority is among those stepping up their game and just this month fined the Municipality of Lisbon 1,25 million euros for the undue disclosure of information to third parties.

Moreover, a supervisory crossover will be more frequent since other supervisory authorities (e.g., consumer, antitrust and financial) will find reasons to creatively step in ongoing investigations and cases due to the potential of the incoming legislation to create conflicts of competence.



  • Organisations must be prepared to deal with increased regulatory pressure: the EU environment for controllers and processors will get harsher every year, with severe penalties becoming more and more frequent.


  • Review the level of compliance with data protection legislation and identify potential vulnerabilities and improvements that should be addressed (ex. data protection assessments, contracts with third parties and auditing)