Interesting data set. Would be interesting to repeat the same for SMEs. In my experience, Germany is pretty hopelessly behind on everything except GDPR enforcement. They are kings of that. Must have a cookie screen, apparently. That's why they score so good on that and not much else.

When the GDPR became active eight or so years ago, we got a few GDPR related requests to our service. Basically strongly worded requests to remove their data and account, which we of course honored. All of these came from Germany. Nobody else really cared. But it was kind of curious quickly that happened. What was interesting is that we had zero such requests before that law came into power. And it's not like we were misbehaving or would have denied such a request. This was more a matter of principle: "I now finally have the right to ask this, so I'm going to."

Germany is a big reason GDPR got so complicated and why, hopefully soon, it will be updated to not be fixated on just cookies so much. It never really was about the cookies but about data handling and sharing.

Any mobile app you install might track you without setting cookies and you can't install an ad blocker in those either. That's why Google loves apps so much. You don't actually need cookies for those. There usually is no cookie screen when you install one usually (unless it's a web app packaged up as an app). But sharing personal data with a third party provider is still problematic under GDPR. If you read the actual law, it barely mention cookies at all. The "must have consent screen for cookies" is just the common (mis)-interpretation for laymen; because it's the most visible impact that this has had on them. When it comes to date removal and other requests, it's less about features you have and more about processes you use for complying with legal requests. That can be a person answering emails and doing things manually. Doesn't scale if you get a lot of requests but it would be fine legally.