uneven and inconsistent across Member States. Horizontal ­ly, EU law itself is split between the GDPR and the AI Act as general regimes with different scopes, and the Platform Work Directive as a more protective and sector-specific in­strument limited to platform workers. This combination generates asymmetries for workers exposed to similar risks. Addressing these inconsistencies is essential, as fragmen­tation at the substantive level inevitably produces frag­mentation in enforcement. Where enforcement happens: workers´ data protection rights before DPAs and courts Assessing enforcement empirically remains challenging due to limited and inconsistent data. Nonetheless, a gener­al pattern emerges: cases based solely on the GDPR are primarily handled by DPAs(and, subsequently, by ordinary or administrative courts when DPA decisions are appealed), whereas in labour courts GDPR provisions typically serve an ancillary role, supporting national labour rights rather than forming the main basis for litigation. Cases before the DPAs The evidence emerging from the national reports confirms that DPA enforcement in the field of workplace data pro­cessing and algorithmic management varies across Mem­ber States, but it is generally scarce – partly because most DPAs do not seem to consider the workplace a priority area for their enforcement activities(Nogarede 2021; Abraha 2023; Müllensiefen 2025). In several Member States – such as Austria, Ireland and the Netherlands – the enforcement of workers’ data protection rights before DPAs has been described as relatively re­strained or weak. However, a number of Member States – notably Belgium, Germany and Spain – have displayed in ­creased levels of DPA activity regarding the enforcement of the GDPR in the workplace, although the overall numbers seem to remain modest. For instance, the German report indicates that, for Bavaria, in 2024, there were less than 5 complaints per 100,000 workers. Italy stands out as the only positive outlier for both the variety and the visibility of its cases, including ex officio investigations, some of which have received widespread media coverage, such as those targeting algorithmic management systems in the platform economy(Agosti et al. 2023). 13 Such proactive ini­tiatives are rare elsewhere, though they have occurred in high-profile but rather isolated instances, such as the Ama­zon warehouse cases in Germany 14 and France 15 (Müllen ­siefen 2025). However, most DPAs adopt a reactive stance, primarily re­sponding to individual complaints. Structural limits – in ­cluding resource constraints, discretion in case selection, and procedural complexity – further restrict consistent en ­forcement. In some jurisdictions, such as Austria and par­ticularly Ireland, DPA operations seem to be opaque: com­plaint follow-up procedures are unclear and/or publicly available data on outcomes are scarce. A striking issue lies in the discrepancy between the num­ber of complaints received and the number of formal deci­sions issued. This gap may suggest informal resolutions, procedural stagnation or the withdrawal of complaints, but the lack of transparency makes it impossible to know. DPAs also differ widely in their level of engagement and in the guidance they provide. In key jurisdictions hosting the headquarters of large multinational employers such as Ireland and, to some extent, Luxembourg and the Nether­lands, the enforcement record seems comparatively weak – a serious concern given their pivotal role in the digital labour market. Cross-border coordination remains another critical weak­ness. The enforcement trajectories of Amazon’s perfor ­mance management systems in France and Germany illus­trate this incoherence: while the French DPA imposed a €32 million fine, 16 a similar initiative by the German au­thority of Lower Saxony was later overturned by a court. 17 A more positive example is the Uber case, where the French and Dutch DPAs cooperated effectively, imposing fines of€10 million and€290 million to Uber in 2023 and 2024 respectively. 18 Notwithstanding the strong record of the Italian DPA and the increased activity of DPAs in for instance Belgium, Ger­many, and Spain, overall the evidence points to a structural underenforcement of the GDPR in the workplace. On the one hand, the existence of these isolated cases shows that DPAs are structurally well-positioned to carry out this type of enforcement: they possess specialised expertise in data protection and emerging technologies, and they hold inves­tigative and sanctioning powers that go beyond those available to courts(Agosti et al. 2023). However, DPAs of ­ten operate with limited financial and human resources, as for example explicitly noted in the German report and in the Austrian one. The latter further observes that this lack of resources has led the DPA to develop various“tech­niques” to ensure that cases are closed as quickly as possi­13 See Italian DPA 10 June 2021 no. 234[9675440] – later partially overturned in relation to the excessive nature of the sanction imposed, on which see Cass. 22 September 2023, no. 27189; Italian DPA 22 July 2021 no. 285[9685994]; Italian DPA 13 November 2024 no. 675[10074601]. 14 LfD Niedersachsen, 28/12/2020(later overturned by VG Hannover – 10 A 6199/20). 15 French DPA, Délibération de la formation restreinte n°SAN-2023-021 du 27 décembre 2023 concernant la société AMAZON FRANCE LOGISTIQUE. 16  Ibid. 17 LfD Niedersachsen, 28/12/2020(later overturned by VG Hannover – 10 A 6199/20). 18  https://www.autoriteitpersoonsgegevens.nl/en/current/dutch-dpa-imposes-a-fine-of-290-million-euro-on-uber-because-of-transfers-of-drivers-data-to-the-us. Empirical findings 11