Ireland’s Data Protection Commission today released its annual report, which disclosed that it has launched 21 investigations for GDPR violations, including eight involving Facebook.

The 2019 DPC report marks the first full calendar year since Europe’s General Data Protection Regulation took effect in May 2018. The DPC also has two GDPR investigations involving WhatsApp, one for Instagram and three each for Apple and Twitter.

“There have been many positive changes, including organizations across Ireland appointing Data Protection Officers who can assist the public in exercising their data protection rights, and also an increased awareness on the part of individuals and organisations alike as to the importance of protecting personal data,” said Helen Dixon, Ireland’s Commissioner for Data Protection, in a statement.

While GDPR covers data use in Europe, many of the largest tech companies have their regional headquarters in Ireland. This means Ireland’s commission has the lead responsibility for investigating GDPR complaints.

That has the agency scrambling to keep up. According to the report, the commission received 7,215 complaints in 2019, up 75% from the 4,113 received in 2018. Of those, 5,496 were resolved in the same year.

By the end of December 2019, DPC had 21 ongoing inquiries involving “multinational technology companies.” Those involving Facebook include a mix of potential security issues, as well as potential problems in the handling of users’ data.

One summary complaint reads: “Examining whether Facebook has discharged its GDPR obligations in respect of the right of access to personal data in the Facebook ‘Hive’ database and portability of ‘observed’ personal data.” Another reads: “Facebook passwords stored in plain text format in its internal servers. Examining Facebook’s compliance with its obligations under the relevant provisions of the GDPR.”

WhatsApp is under scrutiny for how it shares information with Facebook: “Transparency. Examining whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and nonusers of WhatsApp’s services, including information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.”

In many cases, the complaints against the companies involved access to users’ personal data, which GDPR requires companies to make available upon request. Others were challenging companies on the way personal and behavioral data was being used to target advertising.

For the DPC, this workload is requiring a considerable investment in time and resources. The agency increased staffing in 2019 from 110 to 140, and it anticipates continuing to hire in 2020 to handle the growing responsibility.