© GDPR EU 2025. All rights reserved.
Who Is Responsible for Enforcing the GDPR? National data protection authorities, the EDPB, and the EDPS oversee compliance across Europe.
The General Data Protection Regulation (GDPR) is one of the most comprehensive data protection laws in the world, but many people still wonder: who is responsible for enforcing the GDPR?
In short: The GDPR is enforced by independent national data protection authorities (DPAs) in each EU and EEA member state. These authorities monitor, investigate, and take action against organizations that breach data protection rules. The overall coordination of enforcement is overseen by the European Data Protection Board (EDPB), which ensures consistency across Europe.
Table of Contents
Every EU and EEA country has a national data protection authority, sometimes called a supervisory authority.
These authorities are the frontline enforcers of the GDPR. Their primary roles include:
Investigating complaints: Individuals (data subjects) can file complaints with their national DPA if they believe their data rights have been violated.
Monitoring compliance: DPAs conduct audits and investigations to ensure organizations follow GDPR rules.
Issuing fines and penalties: They can impose significant administrative fines — up to €20 million or 4% of a company’s global annual turnover, whichever is higher.
Providing guidance: DPAs help organizations interpret GDPR requirements and implement compliance measures.
Each DPA operates independently within its country, though they cooperate with one another through the EDPB to maintain consistency.
| Country | Supervisory Authority | Website |
|---|---|---|
| Germany | Federal Commissioner for Data Protection and Freedom of Information (BfDI) | bfdi.bund.de |
| France | Commission Nationale de l’Informatique et des Libertés (CNIL) | cnil.fr |
| Ireland | Data Protection Commission (DPC) | dataprotection.ie |
| United Kingdom* | Information Commissioner’s Office (ICO)* | ico.org.uk |
Note: The UK’s ICO enforces the UK GDPR, which mirrors the EU GDPR following Brexit.
The European Data Protection Board is an EU body that coordinates GDPR enforcement across all member states. It consists of representatives from each national DPA and the European Data Protection Supervisor (EDPS).
The EDPB’s main functions are to:
Ensure consistent application of GDPR across the EU and EEA.
Resolve cross-border disputes — for example, when a company operates in multiple countries.
Issue binding decisions and guidelines to clarify GDPR interpretation.
Advise the European Commission on data protection matters.
The EDPB does not replace national authorities — rather, it harmonizes enforcement to prevent conflicting rulings and ensure fairness across borders.
The EDPS is the independent authority responsible for ensuring EU institutions and bodies comply with the GDPR (specifically, Regulation (EU) 2018/1725, which mirrors the GDPR).
The EDPS:
Monitors data protection practices of EU institutions such as the European Commission or European Parliament.
Advises on policies and legislation affecting privacy.
Cooperates with national DPAs through the EDPB.
So, while national DPAs enforce GDPR compliance among private companies and public authorities within their countries, the EDPS enforces GDPR within EU institutions themselves.
For companies operating in multiple EU countries, GDPR enforcement is simplified by the “one-stop-shop” system.
Here’s how it works:
The company designates its lead supervisory authority (LSA) — typically where its main EU establishment is located.
That LSA takes the lead in investigations or enforcement actions that have cross-border implications.
Other concerned DPAs can provide input through the EDPB to ensure fairness and consistency.
Example:
If a U.S.-based tech company like Facebook has its EU headquarters in Ireland, the Irish Data Protection Commission (DPC) acts as the lead authority for most EU investigations.
When a potential violation is reported or discovered, the enforcement process typically follows these steps:
Complaint or discovery: A data subject, whistleblower, or auditor raises a concern.
Investigation: The national DPA investigates, requesting evidence and conducting audits if necessary.
Decision: If a breach is confirmed, the DPA can issue warnings, orders, or fines.
Cross-border review: If other EU countries are affected, the case may be reviewed by the EDPB.
Appeal: Organizations can appeal DPA decisions through national or EU courts.
Meta (Facebook, Instagram, WhatsApp) – The Irish DPC has fined Meta over €2.5 billion collectively since 2021 for various GDPR breaches.
Amazon – Fined €746 million by Luxembourg’s CNPD for violating advertising consent rules.
Google – Fined €50 million by France’s CNIL for lack of transparency and valid consent in data processing.
| Role | Responsibility |
|---|---|
| National Data Protection Authorities (DPAs) | Enforce GDPR within individual EU/EEA member states, handle complaints, and issue fines. |
| European Data Protection Board (EDPB) | Coordinates GDPR enforcement and ensures consistent application across Europe. |
| European Data Protection Supervisor (EDPS) | Enforces GDPR compliance within EU institutions and bodies. |
GDPR enforcement is a shared responsibility across Europe. National data protection authorities act as the enforcers, the EDPB ensures unity in application, and the EDPS safeguards data within EU institutions. This multi-layered system ensures that privacy rights are protected consistently, regardless of where data flows within the European Union.
