[Msurrow]

One of the roles of the DPA is to investigate and collect formal prof of wrongdoing. So no, you do not need proof og wrongdoing, you just need enough to get the DPA to investigate. For example, a fundamental priciple of gdpr is that of data minimization; a data controller must do whatever they can do minimize the data they collect and process. Another fundamental right is the right of access, meaning the right to get told all the data a data controller is collecting and processing about tje subject. Say WhatsApp list the data they collect, and say that list is very long. Then I dont think it would be difficult to argue [to the DPA] that WhatsApp is breaking the principle of minimization. Perhaps enough to start an investigation.

There are a bit more to it than that, lile ligitimate interests etc, but on the other hand gdpr has many more priciples and fundamental rights for companies to break