Who enforces the GDPR — and how do fines actually happen?

Every country has an independent data protection authority (DPA) with real teeth: investigations, orders, and fines up to 4% of global turnover. Complaints from ordinary people start most cases.

Enforcement is national-first. Each EU/EEA country has a data protection authority (DPA) — France’s CNIL, Italy’s Garante, Spain’s AEPD, Ireland’s DPC and so on — independent by law, with powers to investigate, order changes, ban processing and fine (Art. 58). Complaining to yours is free: find it in our directory of all 33. Cross-border cases use the one-stop-shop: the DPA where the company has its EU headquarters leads (why Ireland handles Meta and Luxembourg handled Amazon), with the other authorities co-deciding; deadlocks go to the EDPB — the board of all DPAs — which can impose a binding outcome, as it did to force higher Meta fines. The EDPB also writes the guidelines DPAs enforce by. Fine ceilings (Art. 83): €10m/2% for “administrative” breaches, €20m/4% of global turnover for violating principles or people’s rights. Record-holders: Meta €1.2 billion (2023 transfers), Amazon €746m, Meta/Instagram and TikTok in the hundreds of millions. Beyond fines, DPAs can order deletion, stop AI training runs, and force design changes — often more painful than the cheque. You personally can also sue for damages (Art. 82), including non-material damage — the CJEU confirmed even fear of misuse can qualify.

Verified against the sources above on 18 July 2026. Information, not legal advice.

← Privacy explained📞 Your data protection authority