What Is GDPR Enforcement? Who Enforces It and How It Works

A data-backed explainer on who enforces the GDPR, how the process works, and what the enforcement tracker really shows about who gets fined.


by Riad Us Salehin • 5 July 2026


GDPR enforcement is the activity of independent national Data Protection Authorities, coordinated by the EDPB. They investigate violations and impose fines of up to EUR 20 million or 4% of global turnover. As of mid-2026, regulators have logged more than 3,195 actions totaling over EUR 6.3 billion.

This guide covers who enforces the GDPR and how a complaint becomes a fine. It also covers what the tracker data shows by sector and country, and whether a small business or US company is really at risk.

What Is GDPR Enforcement?

GDPR enforcement is the system that turns the GDPR from text into consequences. Independent national regulators investigate suspected violations and impose fines or corrective orders under Articles 58 and 83. It is distinct from the GDPR text itself, which sets the rules, and from private lawsuits, which individuals bring under separate national laws.

The system exists because the GDPR has no single EU-wide police force. Instead, each member state's Data Protection Authority enforces the law within its borders, and the European Data Protection Board keeps their decisions consistent. This page covers who those regulators are and how their process runs from complaint to fine. It also covers what the enforcement data actually shows and who is realistically exposed.

Who Enforces the GDPR?

National Data Protection Authorities enforce the GDPR in each of the 27 EU member states plus the wider European Economic Area (Norway, Iceland, and Liechtenstein). The European Data Protection Board coordinates these authorities for consistency, and the European Data Protection Supervisor oversees EU institutions themselves, a separate and narrower role.

National Data Protection Authorities (DPAs)

A Data Protection Authority is the independent regulator responsible for GDPR compliance within its own country. Under Article 58, every DPA holds three categories of power.

  • Investigative powers: order audits, demand information, and access premises and equipment.
  • Corrective powers: issue warnings, reprimands, compliance orders, and fines, or ban processing entirely.
  • Advisory powers: issue guidance and advise national legislatures on data protection matters.

Several DPAs carry outsized weight because major technology companies are legally established in their countries.

CountryAuthorityNotable role
IrelandData Protection Commission (DPC)Lead authority for most Big Tech cross-border cases (Meta, TikTok, LinkedIn)
FranceCNILHigh case volume; issues many smaller, undisclosed fines
GermanyBfDI plus 16 state DPAsFederated structure across national and state level
SpainAEPDLeads the EU by raw fine count
ItalyGaranteActive on telemarketing and consent violations
NetherlandsAutoriteit Persoonsgegevens (AP)Issued the EUR 290 million Uber fine
United KingdomInformation Commissioner's Office (ICO)Enforces the separate UK GDPR post-Brexit

The European Data Protection Board (EDPB)

The EDPB coordinates the 30-plus national DPAs so the GDPR applies consistently across the EEA. It issues binding guidelines and advises the European Commission. It also steps in with Article 65 binding decisions when a lead authority and a concerned authority cannot agree on a cross-border case.

The One-Stop-Shop and the "Irish Bottleneck"

For a company with cross-border operations, one lead supervisory authority runs the investigation (usually where its main EU establishment sits). Other affected DPAs act as consulted, concerned authorities. This one-stop-shop model is meant to cut duplicate investigations for both companies and regulators.

So many major platforms are established in Ireland that the Irish DPC ends up as lead authority for most Big Tech cases. Roughly 87% of cross-border complaints against Irish-established companies involve just eight major tech firms.

Critics call this pattern the Irish bottleneck. The EDPB has overruled or directed a stricter outcome in about 67% of the Irish DPC's cross-border cases as of May 2023. The advocacy group noyb also reports that more than 85% of its 800-plus complaints filed since 2018 remain undecided.

How Does GDPR Enforcement Work? From Complaint to Fine

GDPR enforcement runs a defined path from the first trigger to a final, appealable decision.

  1. A trigger occurs: a complaint, a breach notification, or a proactive audit opens the case.
  2. A lead authority is designated: for cross-border cases, the one-stop-shop assigns a lead DPA based on the company's main EU establishment.
  3. Investigation begins: the DPA requests information, audits systems, and gathers evidence under its Article 58 investigative powers.
  4. A draft decision is prepared: the lead DPA circulates its findings to other "concerned" authorities.
  5. Concerned DPAs are consulted: disagreements escalate to the EDPB for an Article 65 binding decision.
  6. A final decision issues: this may include a fine, a corrective order, or both.
  7. Appeal follows, if contested: the company can challenge the decision in national courts.

What Triggers a GDPR Investigation?

A reported data breach, a data subject's complaint, or a proactive regulatory audit are the three most common ways a GDPR investigation starts.

  • Individual complaints: a person reports that an organization mishandled their data; this is the single most common starting point.
  • Mandatory breach notifications: Article 33 requires notifying the supervisory authority within 72 hours of discovering a data breach notification; missing that window is itself an investigable failure.
  • Proactive audits and sweeps: DPAs periodically audit sectors or specific practices without waiting for a complaint.
  • Employee or whistleblower reports: internal reports can trigger a regulatory look.
  • Activist and NGO referrals: groups like noyb file complaints on data subjects' behalf, often in bulk.

What Penalties Can Regulators Impose? (It Is Not Just Fines)

Fines get the headlines, but Article 58 gives regulators a broader toolkit than money alone. Lesser violations cap at EUR 10 million or 2% of global turnover. The most severe cap at EUR 20 million or 4%, whichever amount is higher in each tier. Read the full breakdown of how GDPR fines are calculated for the Article 83 factors regulators weigh.

Beyond the fine itself, a DPA can also impose:

  • Warnings and reprimands for less severe or first-time issues.
  • Compliance orders requiring specific changes within a deadline.
  • Temporary or permanent processing bans, which can halt a business function entirely.
  • Data-transfer suspensions, cutting off a company's ability to move EU data abroad.

GDPR Enforcement by the Numbers: Fines by Sector, Country, and Year

As of mid-2026, the GDPR Enforcement Tracker counts 3,195 enforcement actions totaling over EUR 6.31 billion. The CMS Enforcement Tracker Report 2026 separately puts the tally at 2,685 confirmed fines worth EUR 6.11 billion as of March 2026. That averages roughly EUR 2.28 million per fine. Both figures move constantly as new decisions publish; treat any total as a snapshot, not a fixed number.

The Sectors Fined Most

"Industry and Commerce" and "Media, Telecoms and Broadcasting" lead by the sheer number of fines issued. The largest individual penalties, though, concentrate in a narrower set of sectors.

SectorFine count signalFine value signalExample evidence
Industry and CommerceHighest number of finesMostly mid-size penaltiesBroad base of SME and retail cases
Media, Telecoms and BroadcastingSecond-highest countHome to the largest fines by valueMeta (EUR 1.2 billion), TikTok (EUR 530 million), LinkedIn (EUR 310 million)
EmploymentFewer but high-valueLarge individual penaltiesUber (EUR 290 million, driver data transfers)
Transportation and EnergyModerate countHigh-value outliersSector cited among the largest-penalty categories in the CMS 2026 report

For the full ranked list of the largest penalties on record, see the biggest GDPR fines to date.

The Countries That Fine Most

Spain issues the most fines by volume, while Ireland dominates by total euros because it is the legal home of most fined Big Tech firms.

CountryFine count signalFine value signalNote
SpainLeads the EU, over 1,000 tracked casesMostly smaller individual finesHigh volume of SME and marketing-consent cases
ItalySecond by count (roughly 490)Mid-size fines, some large outliersActive on telemarketing (Sky Italia, EUR 842,062, 2024)
RomaniaThird by countMostly smaller finesConsistent enforcement activity since 2018
IrelandLower count, far fewer casesDominates by value: 9 of the top 10 fines overallLead authority for most Irish-established Big Tech

The Most Common Violations

Insufficient legal basis for processing personal data is the single most common GDPR violation, ahead of security failures and transparency gaps.

  1. Insufficient legal basis for processing (the top category by count)
  2. Non-compliance with general data-processing principles
  3. Insufficient technical and organizational security measures
  4. Failure to fulfill data-subject rights requests
  5. Inadequate transparency and information obligations

That top category, consent and lawful-basis failures, is exactly the layer a website's cookie and tracking setup controls.

Is GDPR Actually Enforced? The "Shadow Enforcement" Reality

Yes, and more actions happen than the headlines suggest. Regulators such as France's CNIL issue the vast majority of their decisions as smaller, unpublicized penalties rather than the billion-euro cases that make news.

The GDPR Enforcement Tracker's own smallest recorded fine is EUR 28, issued to a Hungarian entity in 2020. That is a stark contrast to Meta's EUR 1.2 billion. Italy's Garante fined Sky Italia EUR 842,062 in 2024 for unlawful telemarketing, a case that never generated international coverage.

This pattern, where most enforcement activity never becomes a headline, is what privacy researchers call shadow enforcement. The visible mega-fines are the exception, not the norm.

Enforcement is also scaling up, not winding down. Regulators are sharpening scrutiny on data-erasure failures and unlawful international transfers, the same categories behind the largest recent fines. The EDPB coordinates that focus across authorities so the pressure lands consistently.

The honest counterpoint is speed, not existence. Cross-border cases routed through Ireland can take years to resolve. The EDPB has had to override the Irish DPC's proposed outcome in roughly two-thirds of contested cross-border cases. Slow does not mean absent. Regulators still act on thousands of smaller cases every year while the largest cases work through appeals.

Could a Small Business or US Company Really Be Fined?

Small businesses face real but proportionate exposure, and US companies fall under GDPR whenever they handle EU residents' data, regardless of where their servers sit.

Small businesses are not exempt: any organization that collects or processes EU residents' personal data must comply, no matter its size. Fines scale to turnover, so most small-business penalties land in the five- or six-figure range rather than the billions.

A 2026 Reddit thread of small-business owners found a consistent pattern. Companies making a genuine, good-faith effort at compliance rarely become enforcement targets, while regulators concentrate on egregious or ignored violations. Read whether the GDPR applies to you to check your own exposure.

US companies are covered extraterritorially. Article 3 applies the GDPR to any organization, anywhere, that offers goods or services to EU residents or monitors their behavior. A US International Trade Commission briefing documents fines and investigations reaching US-based firms directly.

A US company with no EU office can still be required to appoint an EU representative under Article 27. Its market access can be pressured even when collecting a fine directly is legally harder. See what GDPR means for US companies for the compliance specifics.

How Does Regulator Enforcement Differ from the Cookie and Pixel Lawsuits?

Regulator enforcement and private lawsuits are two separate legal tracks that both start with the same tracking failure, but they run through entirely different systems.

Regulator enforcement is what this page covers: a Data Protection Authority investigates under EU law and imposes a fine or corrective order. Private lawsuits are a different vector entirely. Individuals or class actions sue under laws like California's CIPA or the federal VPPA over specific tracking practices. Most often that means pixels and session replay tools, with no EU regulator involved.

For the full picture of that private-litigation risk, see the wave of cookie and pixel lawsuits. That includes California's CIPA wiretapping suits and the Meta Pixel lawsuits specifically.

One caveat on terms: the Law Enforcement Directive is a separate EU framework. It governs police data processing, not GDPR enforcement.

How to Lower Your GDPR Enforcement Risk

Fixing your consent and lawful-basis layer addresses the single most common violation category regulators cite.

  1. Get a valid lawful basis, including consent for cookies and trackers, before they fire, not after.
  2. Keep your policies accurate and current: check whether your site legally needs a cookie policy and match it to what you actually collect.
  3. Honor data-subject rights on time, including access, deletion, and retention limits; review the full list of data subject rights you must support.
  4. Secure the data and notify breaches within 72 hours under Articles 32 and 33.
  5. Keep records as proof: consent logs and processing records are what a regulator asks for first.
  6. Audit vendors, processors, and international transfers: confirm whether your tech stack is compliant and understand the difference between a controller and a processor for who is actually liable.

How Consently Helps You Get Consent Right (the Most-Fined Failure)

Insufficient legal basis tops the enforcement data, so the consent layer on your own website is where you can measurably cut risk. That is the layer Consently controls.

Consently's GDPR opt-in cookie banner scans your site automatically and blocks non-essential cookies, scripts, and iframes before they load. Nothing fires without a lawful basis in place first. That auto-blocking runs on a weekly schedule plus on-demand scans, catching new trackers as marketing and analytics tools change.

Every consent decision is stored in a consent log you can export, giving you the audit trail a regulator or a client can ask for. Consently handles the website consent layer; it is not a substitute for legal advice. It does not address backend, security, or international-transfer violations, the failures behind the largest fines on this page.

Start with Consently free or see the full GDPR cookie consent solution built for this exact risk.

FAQs

What is GDPR enforcement?

GDPR enforcement is the process by which independent national Data Protection Authorities investigate violations and impose fines or corrective orders. The EDPB coordinates their decisions across the EU and EEA.

How much has been fined under the GDPR so far?

As of mid-2026, the GDPR Enforcement Tracker counts over EUR 6.3 billion across more than 3,195 actions. The figure changes constantly as new fines publish, so treat any total as a snapshot.

What is the GDPR Enforcement Tracker?

The GDPR Enforcement Tracker is a searchable database run by the law firm CMS that lists publicly known GDPR fines and penalties. It is a data source for researching enforcement patterns, not a regulator itself.

What is GDPR called in the USA?

There is no single US federal equivalent to the GDPR. The closest analogs are state-level laws such as the CCPA and CPRA, plus sector-specific rules like HIPAA for health data. No nationwide privacy law mirrors GDPR's scope.

How long does a GDPR investigation take?

Timelines vary widely. A straightforward domestic complaint can resolve in months. A contested cross-border case routed through the one-stop-shop and an EDPB dispute can take years to reach a final decision.

Can you go to jail for a GDPR violation?

The GDPR itself imposes administrative fines and corrective orders, not prison time. Some member states layer their own criminal law on top. Denmark has prosecuted GDPR-related conduct criminally, and the UK's Data Protection Act 2018 has produced at least one prison sentence for unlawfully obtaining personal data.

Does the GDPR still apply in the UK after Brexit?

The EU GDPR no longer applies directly in the UK, but the UK GDPR, enforced by the ICO, mirrors it closely under domestic law. The EU GDPR still reaches UK firms that offer goods or services to, or monitor, EU residents.

Has any company gone bankrupt from a GDPR fine?

No confirmed case of a company going bankrupt solely from a GDPR fine is on record. Fines scale to a percentage of global turnover, up to 4%, calibrated to be serious but not automatically fatal. A large fine combined with remediation costs is still a genuine business risk.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.