alt Hacker NewsRight, but nothing stops companies from refusing SARs on baloney grounds. Complain to a DPA? They tell you to go through ADR or outright ignore you. Complain to Ombudsman? They'll tell you the same. (In my experience, the Dutch do this)
Company ignores ADR? Sure, now you can go through the legal route and spend copious amounts of money all because a multi billion dollar company knows the game and how to navigate the bureaucratic mess better than you.
This. In reality, GDPR isn't preventative, nor punitive enough for any meaningful user protection. We get cookie banners everywhere and user data harvesting companies happily pay the negligible fines