Presumably there are others, at this point, that we might not have knowledge of. When you look at section 5.2.1 of the directive, you see that it provides that “PIAs are conducted in a manner that is commensurate with the level of privacy risk identified prior to establishing any new or substantially modified program”. Not only are they derelict in their application of a PIA, but the fact that they even started the program without the PIA.... Based on my reading of this subsection, it states that they're in a pretty considerable breach.
On February 1st, 2024. See this statement in context.