2. Better regulation starts with better evidence: Fixing the GDPR’s reporting gap The GDPR has been in force for over seven years, but it is very difficult to get a systematic picture of its imple­mentation and enforcement across Member States. It is even more challenging to assess how it is being applied in specific domains, like the workplace. After over 20 years of better regulation policies from the European Commission, starting with the European Commission’s Action Plan on“Simplifying and improving the regula­tory environment”(EC 2002), there are still severe gaps in the data available for proper evaluation and assess­ment. The GDPR does contain various monitoring and evalua­tion requirements. According to Article 59, each data protection authority should publish annual reports, which“may include a list of types of infringement noti­fied and types of measures taken”. In addition, Article 71 GDPR stipulates that the European Data Protection Board should draw up annual reports on the state of play on data protection in Europe. Finally, Article 97 GDPR obliges the European Commission to evaluate the law every four years, starting in 2020. However, these provisions together make up a woefully inadequate picture to base evaluations on, and to un­derstand how the GDPR is being implemented and used across the EU. In this study, we endeavoured to collect data on DPA activities in the area of worker data rights – how many and what types of complaints do workers and/or their representatives bring, and how do DPAs process and handle these complaints? That infor­mation proves to be hard to come by, and there is a very large variance across the 10 countries surveyed. For the majority of DPAs that were analysed, it was not possible to track any specific and systematic information about complaints received, let alone processed, in the area of workplace data protection. Beyond that, most DPAs do not publish all their decisions, nor reliable sta­tistics on those decisions. A positive exception is, for ex­ample, the Italian DPA, which includes a dedicated sec­tion on workplace data protection in its annual report and provides systematic access to past decisions, al­though the lack of detailed figures and the limited search functionality still make precise quantification difficult. A big part of better regulation – as understood by the Euro ­pean Commission – is about making sure citizens and busi ­nesses understand the law and how it applies to them. The European Commission’s communication on“Better regula­tion for better results – An EU agenda”(EC 2015), called on all EU co-legislators to commit to:“agree that legislation should be comprehensible and clear, allow parties to easily understand their rights and obligations[,] include appropri­ate reporting, monitoring and evaluation requirements, avoid disproportionate costs, and be practical to imple­ment”. To heed this call, any future changes to the GDPR should include more detailed and harmonised reporting re­quirements. Better reporting is possible, as authorities in other domains show. For instance, the Netherlands’ Authority for Consum­ers and Markets provides detailed annual statistics on the number of consumer complaints received, investigations started and completed, and number of fines handed out, all broken down by sector(ACM 2024). Specifying and streamlining the DPAs’ reporting require­ments, and making enforcement data more accessible, would provide a tangible simplification and improvement for workers, lawyers, and authorities themselves, when it comes to understanding and interpreting the GDPR. There is a significant decisional practice across Europe that is dif­ficult to access, or not accessible at all. Were it to be made available in a more unified format, this could help create convergence on the interpretation of the GDPR(see diver­gent interpretation of Amazon’s surveillance, under 3a). In addition, there is a lack of specific and up-to-date guid­ance for the application of the GDPR in employment con­texts. For core provisions around workplace data process­ing, such as what can be considered an employer’s legiti­mate interest, existing EU-level guidance is dated and for example does not mention algorithmic management and AI(Article 29 WP 2001; Article 29 WP 2017). More recent guidance, like the draft EDPB Guidelines on legitimate in­terest, lack specificity. For instance, the document men­tions that when determining whether the interests and fun­damental rights of a data subject take precedence over the legitimate interests of a data controller,“the employer-em­ployee relationship will likely require an assessment that is 6 Friedrich-Ebert-Stiftung e.V.