The General Data Protection Regulation (GDPR) often called the most comprehensive data protection law in the world, sets strict rules for the processing of personal data within the European Union (EU) and beyond. While businesses must comply with GDPR requirements, enforcement is handled by Supervisory Authorities (SAs) and the European Data Protection Board (EDPB).
Understanding who enforces GDPR and what it entails is critical for businesses to ensure GDPR compliance, avoid GDPR fines, and protect data subject rights.
Overview of GDPR enforcement
GDPR enforcement is carried out by a network of regulatory bodies across the EU, ensuring that organisations uphold data protection principles and secure the personal data of EU citizens.
Who is responsible for enforcing GDPR- Key regulatory authorities
The following agencies are responsible for enforcing the EU’s privacy gold standard- the GDPR.
#1 Data Protection Authorities (DPA)
Each EU member state designates an independent Data Protection Authority (DPA)/ Supervisory Authority (SA) responsible for monitoring compliance, handling complaints, and issuing penalties. Some key regulatory bodies include:
- United Kingdom (UK): Information Commissioner’s Office (ICO)
- Germany: Federal Commissioner for Data Protection and Freedom of Information (BfDI)
- France: Commission Nationale de l’Informatique et des Libertés (CNIL)
- Spain: Agencia Española de Protección de Datos (AEPD)
Find your DPA
Official list of Data Protection Authorities
#2 European Data Protection Supervisor (EDPS)
The EDPS supervises the processing of personal data by EU institutions such as the European Council and the European Commission.
#3 European Data Protection Board (EDPB)
The EDPB is an independent official authority that oversees GDPR compliance and its enforcement across the union.
The body is composed of the representatives of EU/EAA Data Protection Authorities and the EDPS.
How does GDPR enforcement work?
- Supervisory authorities (SAs) investigate complaints, conduct audits, and impose fines for GDPR non-compliance.
- Data controllers and data processors must comply with legal obligations under GDPR to avoid enforcement actions.
- EDPB provides guidance and ensures harmonisation of data protection laws across Europe.
- Businesses must implement GDPR-compliant safeguards, such as purpose limitation, storage limitation, and data security measures.
Guide
What are the roles of Supervisory Authorities in GDPR enforcement?
The GDPR grants SAs broad powers to ensure compliance. Their responsibilities include:
Investigating and handling complaints
- Data subjects have the right to lodge complaints with their national DPA if they believe their data privacy rights have been violated.
- DPAs are obligated to investigate and respond to these complaints and ensure that corrective measures are taken.
Conducting audits and inspections
- Supervisory authorities can audit organisations to assess their GDPR compliance.
- Businesses must demonstrate that they conduct Data Protection Impact Assessments (DPIAs) and security measures.
- Audits help verify if companies comply with data minimisation, purpose limitation, and legal basis requirements.
Issuing GDPR fines and corrective actions
- SAs can impose administrative fines based on the severity of the GDPR violations.
- Fines can reach €20 million or 4% of global annual turnover for major violations.
- Corrective measures may include restrictions on data processing activities or warnings for potential GDPR non-compliance.
Monitoring international data transfers
- Supervisory authorities oversee cross-border data transfers to ensure compliance with GDPR’s data protection directive.
- Businesses transferring personal data outside the EU must implement safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) when transferring to non-adequacy countries.
Related read
What are the key responsibilities of businesses for compliance?
To avoid penalties, businesses must ensure GDPR compliance by implementing the following measures:
#1 Obtain lawful consent and implement opt-in mechanisms
- GDPR requires businesses to obtain clear and explicit consent before collecting personal data.
- Opt-in mechanisms must be GDPR-compliant, ensuring that users actively agree to data collection.
Does Your Website Reflect Privacy with the Right Cookie Banner?
A complaint cookie banner builds trust- Create one using CookieYes today
14-day free trialCancel anytime
#2 Appoint a Data Protection Officer (DPO)
- A DPO is mandatory for organisations engaged in large-scale processing of personal data.
- The DPO oversees GDPR compliance, audits, and training.
#3 Maintain a Record of Processing Activities (RoPA)
- Companies must document their processing activities, including data collection, storage, and transfers.
- Ensures transparency and facilitates GDPR audits.
#4 Implement data protection by design and default
- Businesses must embed privacy measures into products and services.
- This includes limiting data collection, ensuring secure data storage, and using encryption where necessary.
#5 Respond to data subject requests
- Under GDPR, individuals have the right to access, rectify, delete, or transfer their data (data portability).
- Companies must process consumer requests within one month.
#6 Secure personal data against data breaches
- Implement cybersecurity measures to prevent data breaches.
- In case of a breach, businesses must notify supervisory authorities within 72 hours.
What are the penalties for GDPR non-compliance?
GDPR fines and penalties
- Minor violations may result in fines of up to €10 million or 2% of global turnover.
- Serious violations can lead to €20 million or 4% of global turnover.
- Repeat violations may result in increased regulatory scrutiny and operational restrictions.
Guide
How can businesses avoid GDPR fines?
Ensuring GDPR compliance is crucial for avoiding penalties and maintaining consumer trust.
With DPAs increasing scrutiny on cookie consent practices, businesses must act now. One of the simplest and most effective ways to stay compliant? A GDPR-compliant cookie consent banner.
Simplify cookie compliance with CookieYes
Managing cookie consent manually can be complex, but CookieYes automates the process, ensuring your website meets GDPR, ePrivacy Directive, and other privacy law requirements. With customisable banners, automated consent logs, and real-time compliance monitoring, CookieYes works alongside businesses to stay on top of privacy compliance while enhancing user experience.
Listen to what our customers say on G2.
Make Your Website GDPR-Compliant in Minutes
Start your free trial with CookieYes today!
14-day free trialCancel anytime
Other measures include:
- Implement robust data protection policies aligned with GDPR requirements.
- Conduct data mapping to discover personal data stored by your organisation.
- Provide a detailed privacy policy to inform the data subject of your data handling practices.
- Conduct regular audits to identify potential GDPR violations.
- Train staff on data protection principles to ensure compliance with the GDPR.
Fact check: Debunking misconceptions about GDPR enforcement
Despite widespread awareness of GDPR compliance, several misconceptions persist about its enforcement. Let’s answer some of them.
#Myth 1: GDPR only applies to businesses in the EU
Fact: In reality, GDPR applies to any business worldwide that processes the personal data of EU residents.
#Myth 2: All data processing requires consent
Fact: GDPR provides six legal bases for processing data, and consent is just one of them.
#Myth 3: Anonymised data is exempt from GDPR
Fact: While fully anonymised data is not covered, pseudonymised data remains subject to GDPR rules.
#Myth 4: Small businesses are not impacted by GDPR
Fact: Any organisation, regardless of size, must comply if it processes data that falls under GDPR requirements.
What are the exemptions under GDPR?
While GDPR sets a broad regulatory framework, certain exemptions exist:
- Personal or household use: GDPR does not apply to data processing carried out for purely personal or domestic activities.
- Law enforcement and public security: Activities related to criminal investigations, national security, or public authority operations may be exempt from certain GDPR provisions.
See the full list of GDPR exemptions
What is the impact of GDPR enforcement on businesses?
The enforcement of GDPR has had significant implications for businesses across Europe and beyond:
- Increased compliance costs: Many organisations have had to invest in data protection officers (DPOs), legal teams, and GDPR training.
- Changes in marketing and advertising: Targeted advertising and data collection require explicit user consent.
- Greater transparency and accountability: Businesses must now maintain detailed records of data processing activities and comply with supervisory authority audits.
- Reputational risks: Non-compliance can lead to severe penalties, regulatory scrutiny, and loss of consumer trust.
What are some recent GDPR enforcement cases?
High-profile enforcement actions highlight the seriousness of GDPR violations:
#1 Uber fined €290 million for unlawful data transfers
What happened?
Uber was fined €290 million by the Dutch Data Protection Authority (AP) for illegally transferring European taxi drivers’ personal data to US servers. The investigation followed complaints from over 170 French drivers and revealed that Uber had failed to implement an adequate data transfer mechanism after the EU-US Privacy Shield was invalidated in 2020.
The issue
- Data included account details, location, payment information, and sensitive records.
- Uber failed to implement GDPR-approved data transfer safeguards, such as Standard Contractual Clauses (SCCs), after the invalidation of the EU-US Privacy Shield.
Key takeaway
Businesses transferring data outside the EU must use approved legal safeguards to avoid penalties.
#2 Meta fined €251 million for data breach
What happened?
The Irish Data Protection Commission (DPC) fined Meta €251 million for a data breach affecting 29 million Facebook users, including 3 million in the EU.
The issue
- Hackers exploited user tokens to access personal data, including names, contact details, locations, and workplace information.
- Meta failed to document the breach properly and did not implement GDPR’s data protection by design and default.
Key takeaway
Businesses should implement adequate security safeguards such as encryption to prevent unauthorised access.
#3 Google and Facebook fined for cookie consent violations in France
What happened?
France’s Data Protection Authority (CNIL) fined:
- Google – €150 million
- Facebook – €60 million
for non-compliant cookie consent practices.
The issue
- Both companies made it difficult to refuse cookies than to accept them.
- A separate €100 million fine against Google was upheld for placing cookies without explicit user consent.
Key takeaway
Websites must provide clear, user-friendly cookie consent mechanisms that allow users to reject cookies as easily as they accept them.
GDPR and other data protection laws
GDPR does not operate in isolation—it aligns with and sometimes conflicts with other data protection rules:
- ePrivacy Directive: Governs electronic communications, such as cookie consent and direct marketing.
- Data Protection Act (UK): Post-Brexit, the UK adapted GDPR into domestic law, but with some variations.
- Schrems II ruling: Nullified the Privacy Shield, requiring businesses to adopt Standard Contractual Clauses (SCCs) for data transfers.
The Schrems II ruling marked a major shift in EU-US cross-border data transfers. Following the decision, businesses must rely on contractual safeguards like Standard Contractual Clauses (SCCs) to lawfully transfer personal data.
This change invalidated Privacy Shield—a framework that previously allowed EU-US data transfers in line with European data protection standards.
The ruling primarily cited US government surveillance concerns and lack of adequate enforcement mechanisms as key reasons for its downfall. As a result, companies transferring EU data to the US must now implement additional safeguards like SCCs to comply with GDPR.
Wrap-up: Who is responsible for enforcing GDPR?
Understanding who enforces GDPR and how supervisory authorities operate is essential for businesses to stay GDPR-compliant.
The roles of Data Protection Authorities and the European Data Protection Board ensure that EU citizens’ data privacy rights are protected and enforced. Businesses that follow GDPR requirements, implement security measures, and uphold data protection laws can avoid fines and build consumer trust.
Staying compliant with GDPR enforcement is not just about avoiding non-compliance penalties—it’s about demonstrating a commitment to data privacy and responsible data processing.
By adopting best practices, conducting audits, and using tools like consent management platforms, businesses can navigate GDPR with confidence and ensure ongoing compliance in a rapidly evolving regulatory landscape.
FAQ on who enforces GDPR
The European Data Protection Board (EDPB) is responsible for ensuring harmonised enforcement of GDPR across EU member states. It:
- issues guidelines and recommendations to help businesses interpret GDPR provisions.
- resolves cross-border data protection disputes.
- ensures consistent application of GDPR fines and penalties.
- works closely with national supervisory authorities to oversee compliance and policy alignment.
The GDPR designates supervisory responsibilities to National Data Protection Authorities (DPAs), the European Data Protection Board (EDPB), and the European Data Protection Supervisor (EDPS).
GDPR is primarily enforced by National supervisory authorities known as Data Protection Authorities (DPAs) of each EU/EEA member state. Examples of DPA include Garante per la protezione dei dati personali of Italy and Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit of Germany.
Safna Y Yacoob is a lawyer turned data privacy writer. At CookieYes, she transforms complex privacy regulations into actionable insights for businesses. On off-hours, find her brightening days with one-liners, spinning playlists, or watching feel-good movies.
