[diggan]

> Wouldn't that require some kind of actual policing? Here (in Norway) at least

Maybe a dumb question, but have you actually reported the company to your DPA? I think the DPAs have some agency to perform investigations on their own, but currently they're mostly acting on user complaints, whistleblowers and self-reporting by the organization itself, so if none of the people involved (on either side) reports the organization, the DPA won't know where to even begin.

Seemingly you have a good inside view with clear evidence of breaking GDPR, so I assume you've reported this organization then?