3. Empirical findings: How GDPR enforcement works(and fails) in practice Introduction: a landscape of fragmentation and underenforcement The national reports confirm – and align with – findings re ­peatedly observed elsewhere(Nogarede 2021; De Stefano& Wouters 2022; Abraha 2023; Müllensiefen 2025), converging on a clear and consistent diagnosis: enforcement of the GDPR in the field of workers’ rights remains limited, frag­mented, and uneven across the EU. Despite the rapid diffu­sion of digital monitoring tools and data-intensive algorith­mic management systems, relatively few cases have effec­tively relied on the GDPR to protect workers’ data rights in general, and even fewer in relation to these emerging prac­tices – suggesting that many potential violations may have remained under the radar, given the growing centrality of data as the fuel for these tools. In terms of subject matter, the majority of national decisions still concern conventional forms of monitoring and data us­age(such as CCTV monitoring, corporate email usage, GPS tracking of company vehicles) or procedural infringements (such as the failure to respond to access requests under Arti­cle 15). By contrast, truly novel issues related to algorithmic management have generated only a handful of cases(Hiessl 2025), particularly against major platform companies provid ­ing food-delivery or ride-hailing services in Italy 3 (Agosti et al. 2023; EDRi 2025b) and the Netherlands 4 (Worker Info Ex­change 2023) respectively, and against Amazon in France 5 and Germany 6 (Warter 2025) for its warehouse algorithmic management systems, which have nonetheless produced di­vergent outcomes. Overall, the emerging picture is one of asymmetry, with significant national disparities not only in the number of cases processed but also in the types of is­sues they address and in their outcomes. Fragmentation is also apparent in the types of violations addressed. Most cases continue to revolve around tradi­tional and foundational provisions of the Regulation – pri ­marily the general principles of data processing and the lawfulness criteria under Articles 5 and 6 GDPR, together with information and access rights under Articles 13, 14 and 15 GDPR. Far fewer touch upon more innovative provisions such as Article 22 which regulates automated deci ­sion-making, with only a few notable exceptions, mostly confined to the platform economy. In Italy, for instance, the DPA initiated landmark investigations against Glovo and Deliveroo, leading to significant fines, 7 while in the Nether­lands, similar issues were adjudicated by courts in disputes involving Uber and Ola focused specifically on the GDPR. 8 The comparative analysis across Member States thus shows that GDPR enforcement in the workplace is frag­mented and incomplete. One main reason for this lies in the division of enforcement responsibilities between DPAs and judicial authorities. National procedures differ widely, undermining both comparability and coherence. While some variation is to be expected before courts, which are fully governed by national law, DPAs should theoretically not exhibit the same disparities, given their operation with­in what was intended to be a harmonised legal framework. Nevertheless, national reports indicate that institutional fragmentation results in uneven DPA practices, with signifi­cant differences in administrative procedures, investigative approaches, sanctioning policies, and prioritisation of la­bour-related cases – a central factor behind underenforce ­ment and inconsistent protection of workers’ data rights across Member States. A second reason for this dispersed enforcement landscape is the intersection between EU data protection law and do­mestic laws(Abraha 2022), which often provide more spe ­cific rules for protecting the personal data and the privacy of workers(Hendrickx, Mangan& Gramano 2023 and EC 2023). While data protection law is harmonised at EU level, 3 Italian DPA 10 June 2021 no. 234[9675440] – later partially overturned in relation to the excessive nature of the sanction imposed, on which see Cass. 22 September 2023, no. 27189; Italian DPA 22 July 2021 no. 285[9685994]; and Italian DPA 13 November 2024 no. 675[10074601]. 4 Court of Appeal Amsterdam, 7 March 2023, ECLI:NL:GHAMS:2023:796; Court of Appeal Amsterdam, 4 April 2023, ECLI:NL:GHAMS:2023:793; and Court of Appeal Amster ­dam, 4 April 2023, ECLI:NL:GHAMS:2023:804. 5 French DPA, Délibération de la formation restreinte n°SAN-2023-021 du 27 décembre 2023 concernant la société AMAZON FRANCE LOGISTIQUE. 6 LfD Niedersachsen, 28/12/2020(later overturned by VG Hannover – 10 A 6199/20). 7 See Italian DPA 10 June 2021 no. 234[9675440] – later partially overturned in relation to the excessive nature of the sanction imposed, on which see Cass. 22 September 2023, no. 27189; Italian DPA 22 July 2021 no. 285[9685994]; and Italian DPA 13 November 2024 no. 675[10074601]. 8 Court of Appeal Amsterdam, 7 March 2023, ECLI:NL:GHAMS:2023:796; Court of Appeal Amsterdam, 4 April 2023, ECLI:NL:GHAMS:2023:793; Court of Appeal Amsterdam, 4 April 2023, ECLI:NL:GHAMS:2023:804. 8 Friedrich-Ebert-Stiftung e.V.