Overview —

Who Enforces GDPR?

GDPR is enforced by EU Data Protection Authorities, coordinated by the EDPB to ensure consistent compliance.

Share this article

Contents

No headings found on page

Who Enforces GDPR?

GDPR is enforced by independent Data Protection Authorities, one in each EU/EEA country — over 30 of them across the network, since some countries like Germany have multiple authorities at the federal and state level. But here's the part most summaries skip: if your company operates in more than one EU country, you don't actually have to deal with all of them. There's a mechanism built specifically to prevent that headache.

What DPAs Actually Do

Each DPA can investigate complaints, run audits, issue fines, and offer compliance guidance. They also coordinate with each other on cross-border cases — which matters a lot once you're operating in more than one country, because that coordination is structured, not informal.

The One-Stop-Shop: Your Real Point of Contact

If your company processes data across multiple EU member states, you generally deal with just one DPA — your "lead supervisory authority," based on wherever your main EU establishment is. That single authority takes the lead on investigations and coordinates with the other countries' DPAs (called "concerned supervisory authorities") rather than you having to respond to each one separately.

Here's how it actually works in practice: your lead authority drafts a decision, shares it with the other relevant DPAs, and if nobody objects, that's the final answer. If DPAs disagree, the case escalates to the European Data Protection Board for a binding resolution. This is a real, structured process — not just "DPAs are nice and cooperate."

One important exception: this one-stop-shop setup doesn't apply if you're a public authority or a private body acting in the public interest. In that case, you only ever deal with your own country's DPA, no matter how many EU countries your processing actually touches.

The European Data Protection Board's Real Role

The EDPB isn't an enforcement body itself — it doesn't fine anyone directly. Its job is keeping enforcement consistent across all the different DPAs, issuing guidance everyone's supposed to follow, and resolving disputes when DPAs can't agree on a cross-border case. Without it, you could end up with conflicting decisions about the exact same processing activity from different countries — which is exactly the inconsistency the one-stop-shop mechanism is designed to prevent.

The Scale of Actual Enforcement

This isn't theoretical. Between May 2018 and early 2026, DPAs collectively issued roughly €7.1 billion in GDPR fines. That number keeps climbing every year — enforcement has gotten more active over time, not less, as DPAs get more resourced and coordinated.

What This Means If You Operate Across Borders

Knowing who your lead supervisory authority actually is — not just "the EU" in some vague sense — matters before anything goes wrong, not after. It determines who you're actually building a relationship with, whose guidance carries the most direct weight for your compliance program, and who you'd be dealing with first if a complaint or investigation comes in. Companies that figure this out only after a problem starts are already behind.

Where This Connects to Other Frameworks

Building consistent governance across jurisdictions matters just as much for ISO 27001 and SOC 2 as it does for GDPR — both expect a coherent program, not patchwork compliance that varies by country. Once you know who your lead DPA is and what they expect, that same governance structure usually does double duty for the other frameworks too.

In the Spotlight

Start your GDPR compliance journey with DSALTA's complete checklist.

The General Data Protection Regulation (GDPR) is Europe’s core privacy law, shaping how organizations collect, process, and protect the personal data of EU residents. Non-compliance can result in heavy fines, reputational damage, and loss of customer trust.

GDPR can feel complicated with its broad scope and strict requirements, but DSALTA® makes it manageable. With automated evidence collection, continuous monitoring, and AI- driven risk insights, you can maintain compliance without drowning in manual work. Use this checklist to guide your GDPR journey.

Read more about GDPR compliance with DSALTA.

Stop losing deals to compliance.

Get compliant. Keep building.

Join 100s of startups who got audit-ready in days, not months.