Step-by-step help to master cookie compliance

Guides

Gdpr Enforcement 2025

GDPR Enforcement: Complete Guide for 2025

The General Data Protection Regulation (GDPR) remains one of the strictest data privacy laws worldwide. Since its enforcement in 2018, regulators have issued billions in fines and reshaped business practices. GDPR also influenced data protection regulations in many other countries globally. 

While businesses must comply with GDPR requirements, several authorities enforce the law.

On the national level, Data Protection Authorities (DPAs) in each EU country enforce the GDPR. DPAs are enforcing the GDPR by monitoring compliance, investigating breaches, and issuing fines.

The European Data Protection Supervisor (EDPS) monitors GDPR enforcement by ensuring that European institutions and bodies respect the right to privacy and data protection when they process personal data or create new regulations.

The European Data Protection Board (EDPB) ensures consistent enforcement across the EU. In the UK, the Information Commissioner’s Office (ICO) enforces user data protection and information rights.

Understanding in detail who enforces GDPR, what their roles are, and common practices is critical for businesses to ensure GDPR compliance and avoid GDPR fines. Read this article to learn in detail about the roles of these enforcement bodies.

What Is GDPR Enforcement?

GDPR enforcement refers to how data protection authorities (DPAs) and European regulators ensure businesses and organizations comply with GDPR requirements. It is carried out by a network of regulatory bodies across the EU.

GDPR enforcement includes investigating complaints, auditing companies, issuing warnings, and imposing fines for GDPR non-compliance. In the most extreme cases, DPAs can even require stopping the activity of an organization and restricting data processing.

Enforcement aims to protect EU citizens’ privacy and personal data, ensure transparency, and set requirements for businesses regarding their data collection, storage, and management practices.

How Does GDPR Enforcement Work?

National Data Protection Authorities handle GDPR enforcement in each EU member state.

GDPR Enforcement consists of the following steps:

  1. Complaints or discovery by DPA
    Enforcement usually starts with a complaint or a regulator-initiated audit. Enforcement can be triggered by individuals' complaints, data breach notifications, or proactive DPA audits.
  2. Audit
    National authorities perform an investigation of an organization by reviewing its data handling policies, practices, user rights implementation, and security measures regarding user personal data management.
  3. Decision
    In the case of GDPR non-compliance, regulators may issue warnings, corrective orders, or administrative fines.
  4. Appeals
    Organizations can challenge decisions in court. However, this rarely helps to overturn issued fines.

For cross-border cases, when a supposed violation involves more than one EU country, a lead supervisory authority is responsible for the GDPR enforcement.

If national authorities don’t reach a common decision, the European Data Protection Board (EDPB) comes into action to help resolve disputes. EDPB provides guidance and ensures harmonization of data protection laws across Europe.

Penalties for non-compliance with the GDPR are huge and scaled depending on the severity of non-compliance. Less severe breaches can cost up to €10 million or 2% of global annual turnover, while fines for serious violations can reach up to €20 million or 4% of global annual turnover.

Read the guide on how to comply with the GDPR:

Download CookieScript FREE GDPR checklist

How GDPR Enforcement Has Evolved Since 2018?

When GDPR took effect in May 2018, regulators initially focused on education and warnings. Later, GDPR enforcement shifted from initial guidance and smaller fines to more substantial penalties, focusing on Big Tech companies, and increased personal liability for executives. This phase was followed by expanding sectoral scrutiny beyond tech and cross-border data transfer investigations.

Over time, enforcement resulted in a significant increase in the number of violations and the total value of fines, reaching multi-million or even billion-euro penalties, especially since 2022.

Enforcement still varies across EU member states. 

Key milestones of GDPR enforcement include:

  • 2018
    The initial phase preferred guidance over penalties. DPAs issued relatively few fines with small amounts.
  • 2019–2020
    First wave of strict enforcement heavily targeted international Big Tech and social media companies. The French CNIL was among the pioneers, in 2019 issuing the first major fine of €50 million to Google for transparency violations.
  • 2021–2023
    Increase in the number and value of fines, with Big Tech remaining a major focus.
    During this period, cross-border enforcement was scrutinized heavily.
  • 2024–2025
    The current phase marks intensified enforcement with record-breaking fines. In May 2023, the first billion euro fine (€1.2 billion) was levied under the GDPR to Meta Platforms Ireland Limited for unlawful data transfers to the United States.
    Enforcement is expanding beyond tech, with greater attention paid to financial services, energy, and other non-tech sectors.
    During this phase of enforcement, company executives were held personally accountable for data protection failures.
    Recently, GDPR enforcement pays greater attention to AI, cloud services, and other new technologies.

The GDPR has become an international standard and a global benchmark for privacy legislation, inspiring similar frameworks in other countries and influencing global data practice.

Key Regulators Behind GDPR Enforcement

Multiple bodies work together to ensure GDPR compliance and consistency of enforcement across the EU, including:

  • Data Protection Authorities (DPA)
  • European Data Protection Supervisor (EDPS)
  • European Data Protection Board (EDPB)

Data Protection Authorities (DPA) and Their Role in GDPR Enforcement

The first point of contact for individuals filing GDPR complaints is the national Data Protection Authority (DPA). Each EU member state has a national DPA responsible for monitoring compliance, handling complaints, and issuing penalties within its jurisdiction.

The most well-known Data Protection Authorities include:

  • France: Commission Nationale de l’Informatique et des Libertés (CNIL)
  • United Kingdom (UK): Information Commissioner’s Office (ICO)
  • Germany: Federal Commissioner for Data Protection and Freedom of Information (BfDI)
  • Spain: Agencia Española de Protección de Datos (AEPD)
  • Italy: The Garante per la protezione dei dati personali.

European Data Protection Supervisor (EDPS) and Its Role in GDPR Enforcement

The European Data Protection Supervisor (EDPS) supervises GDPR compliance within EU institutions such as the European Council and the European Commission and advises on new legislation impacting privacy.

It also ensures EU bodies handle personal data lawfully and consistently with GDPR principles.

European Data Protection Board (EDPB) and Its Role in GDPR Enforcement

The European Data Protection Board (EDPB) is an independent official authority, coordinating enforcement across EU/EAA member states with the aim to issue guidance for a harmonized approach.

It resolves disputes between DPAs and plays a critical role in cross-border cases, especially those involving multinational corporations.

The EDPB is composed of the representatives of Data Protection Authorities and the EDPS.

The Roles of Supervisory Authorities in GDPR Enforcement

The GDPR grants Supervisory Authorities (SA) broad powers, including:

  • Investigating complaints
    Data subjects have the private right of action to file complaints with their national DPA if they believe their data privacy rights have been violated or their data was leak to third parties. DPAs are obliged to investigate these complaints. DPAs must give a response to Data subjects (individuals) and take measures against organizations to stop their non-compliant activities.  
  • Conducting audits
    Supervisory authorities can audit organizations to evaluate their GDPR compliance. Supervisory authorities check if businesses comply with data minimization, purpose limitation, legal basis requirements, and implement adequate security measures to protect user data. SAs also audit whether businesses conduct Data Protection Impact Assessments (DPIAs).
  • Issuing GDPR fines and making corrections
    Supervisory authorities can impose administrative penalties based on the severity of the GDPR violations. Fines can reach up to €10 million or 2% of global annual turnover, while fines for serious violations can reach up to €20 million or 4% of global annual turnover. Besides fines, supervisory authorities can issued restrictions on data processing activities or warnings for potential GDPR non-compliance.
  • Monitoring international data transfers
    Supervisory authorities also monitor cross-border data transfers to protect EU citizens’ data and ensure GDPR compliance. Authorities check if businesses transferring personal data outside the EU implement safeguards when transferring to non-adequacy countries. Safeguards include Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

Check for free whether your website uses cookies or other trackers:

How Does GDPR Enforcement Differs Across EU Member States?

While GDPR sets a common legal framework, its enforcement is handled by decentralized national DPAs. Thus, GDPR enforcement slightly differs across EU Member States, leading to variations in how complaints are handled, the procedural methods used, and the outcomes of investigations.

Each Member State has its own national DPA, which operates independently and has different funding, staffing, and technical resources. DPAs in different countries may prioritize different types of data protection cases based on national concerns or public attention.

Cultural differences influence how seriously individuals take data protection concerns and how actively they report infringements.

There could also be procedural differences: some DPAs may rely on formal decisions and penalties, while others might prefer informal agreements or settlements to resolve cases.

Thus, GDPR enforcement intensity among EU countries varies:

  • France (CNIL): France is known for strict and proactive enforcement. It was one of the first countries to impose huge fines on Big Tech companies.
  • Spain: Spain has issued the biggest number of GDPR fines in the EU, although the fines are often smaller in value. As of September 2025, Spain has issued 1,021 fines with a total of ~ €120,750,450. The Spanish Data Protection Agency (AEPD) has issued over one thousand fines for unlawful data transfers, inadequate consent, and cookie misuse violations.
  • Ireland: Ireland is the lead regulator for many Big Tech companies due to their headquarters location. Overall, it had issued the biggest fines for GDPR violations. All the above-mentioned fines were issued by the Irish DPA. Ireland has issued about €3.5 billion in GDPR-related fines since May 2018.
  • Germany: Germany’s DPA is a strong regional DPAs with rigorous standards.
  • Italy: Italy’s DPA is becoming increasingly active in issuing fines against SMEs.

This uneven enforcement creates challenges for businesses operating across multiple jurisdictions.

Common GDPR Violations and Penalties for GDPR Non-Compliance

The most frequent GDPR violations include:

  1. Lack of valid consent for data processing
    Processing personal data and user tracking for advertising without user consent is the most common GDPR violation and cause of fines. Article 6 of the GDPR states that organizations are only allowed to process data if they have legal basis. The most common form of a legal basis is user consent.
  2. Transparency issues
    Failure to inform data subjects about data collection and processing activities is also a frequent GDPR violation. Article 5 of the GDPR states that data subjects have the right to know whether their data is collected and how it is processed. Under Article 5, data processing must be done in a lawful, fair, and transparent manner. Data processing must have a legitimate purpose, and businesses can not extend it beyond that purpose.
  3. Inadequate security measures
    Under the GDPR, data controllers and processors must implement robust security measures to protect personal data from unauthorized access, disclosure or loss. This may include technical measures like adequate encryption, physical security, cybersecurity software, and good password practices, as well as organizational safeguards like employee security training, access controls, and confidentiality clauses.
  4. Data breaches
    Inadequate security measures may lead to data breaches. Under the GDPR, organizations must notify DPAs and affected individuals within the 72-hour timeframe when a breach occurs. Organizations are often fined for failing to adequately document data breaches and notify DPAs and affected individuals within the required timeframe.
  5. Improper international data transfers
    Transferring personal data outside the EU without ensuring proper safeguards is also one of the most common GDPR violations. For international data transfers, organizations must implement adequate data transfer mechanisms. In 2020, the Schrems II ruling invalidated the EU-US Privacy Shield, making it illegal to transfer personal data to the US under that framework due to inadequate data protection. Businesses must rely on other mechanisms, like Standard Contractual Clauses (SCCs), and are obliged to perform due diligence, assess third-country legal systems, and implement supplementary measures to ensure an essentially equivalent level of protection to EU standards.
  6. Failure to honor data subject rights
    Businesses are obliged to adequately respond to individuals' requests to access, rectify, or erase their personal data. Failure to uphold data subject rights leads to GDPR violations and penalties.
  7. Poor cooperation with DPAs
    Not cooperating with the Data Protection Authorities in a timely manner is a common violation that can lead to penalties.

Depending on the nature and scale of the violation, penalties range from warnings to multi-million-euro fines.

What Are the Penalties for GDPR Non-Compliance?

Fines for GDPR non-compliance are huge:

  • Minor violations may result in fines of up to €10 million or 2% of global annual turnover, whichever is higher.
  • Serious violations can lead to €20 million or 4% of global annual turnover, whichever is higher.
  • Repeated violations may lead to increased regulatory scrutiny and operational restrictions.

Examples of biggest GDPR fines for non-compliance

As of 2025, the top GDPR fines are the following:

  1. Meta – €1.2 Billion (2023): The Irish DPC fined Meta for transferring personal data of European users to the US without adequate data protection safeguards.
  2. Amazon – €746 Million (2021): Amazon was fined €746 million for lack of valid user consent in user tracking and advertising practices.
  3. TikTok – €530 Million (2025): TikTok was fined for violations related to handling children's personal data, including making their accounts public by default.
  4. Meta – €405 Million (2022): The Irish DPC also fined Meta for forcing users to consent to targeted advertising.
  5. Meta – €390 Million (2023): Meta was fined another huge fine for its practices regarding targeted advertising on Facebook and Instagram.

How to track GDPR fines?

GDPR enforcement intensity among EU countries varies. There are huge differences between the fines of National Data Protection Authorities (DPAs).

The GDPR Enforcement Tracker is a database and reporting tool maintained by CMS law firm that tracks publicly reported GDPR fines and enforcement actions across EU member states. It provides a fines database where you can filter by country, year, sector, violation type, etc. Here, you can filter fines to view which DPOs issued the most, which sectors are most affected, common types of violations, and the extent of the fines.

Spain has issued the biggest number of GDPR fines in the EU, although the fines are often smaller in value. As of September 2025, Spain has issued 1,021 fines with a total of ~ €120,750,450. 

Ireland had issued the biggest fines for GDPR violations due to the headquarters location of Big Tech companies. Ireland has issued about €3.5 billion in GDPR-related fines since May 2018.

As of October 2025, the total sum of fines for GDPR non-compliance reached €6.7 billion

Keep in mind that not only big companies, but also small ones or even individuals can be fines for GDPR non-compliance. In such cases, the size of the fine is smaller.

For example, the most recent fine was issued by Romanian DPA in 18 of September 2025. A business (Dr. Max SRL) was fined €1000 for insufficient fulfilment of data subjects rights. 

Most targeted industries for GDPR violations

The most targeted industries for GDPR violations include:

  • Tech & social media
    Frequent fines for data misuse and unlawful profiling. Big Tech companies have also received the biggest fines so far.
  • Finance
    The most common penalties came for weak security and mishandling sensitive data.
  • Healthcare
    The main reason for GDPR violations is improper safeguarding of patient data.
  • E-commerce & retail
    GDPR violations are mostly tied to marketing consent and data retention.

The Future of GDPR Enforcement

Looking ahead at GDPR enforcement trends in 2025 and 2026, it is expected to intensify in areas such as:

  • Artificial Intelligence (AI)
    Business should ensure compliance with both GDPR and the new EU AI Act.
  • Cross-border data transfers
    DPAs are expected to be stricter in scrutinizing international data transfers.
  • SMEs and startups
    GDPR enforcement is expected to grow beyond large corporations and big technology companies.
  • Real-time audits
    DPAs may use new technologies for proactive monitoring of GDPR enforcement.

What Are the Key Responsibilities of Businesses for Compliance?

To avoid GDPR fines, businesses must ensure GDPR compliance by implementing the following steps:

1. Obtain lawful consent

GDPR requires businesses to obtain clear, unambiguous, and explicit user consent before collecting personal data. Businesses must implement GDPR-compliant opt-in mechanisms, allowing users to accept or reject cookies and ensuring that users explicitly agree to data collection.

Dark color banner of CookieScript

An example of a GDPR-compliant Cookie Banner by CookieScript

2. Implement a clear Privacy Policy

Under the GDPR, businesses must have a clear and accessible Privacy Policy. A Privacy Policy should include information on the types of information you collect, what you do with data, data sharing and third-party providers, data retention and deletion policies, and the use of cookies or other website trackers.

Place your Privacy Policy in an easy-to-find place on your website or app.

3. Conduct Data Protection Impact Assessments (DPIAs)

A Data Protection Impact Assessment (DPIA) is a process designed to identify and evaluate the potential risks associated with processing personal data where the processing could result in high risk.

Under the GDPR, DPIA is mandatory when data processing is likely to result in a high risk associated with processing the personal data of individuals. DPIA should be carried out when handling sensitive data, automated processing, video surveillance of public places, and new technologies.

It is recommended to perform the Data Protection Impact Assessment once a year.

4. Keep a record of processing activities

Organizations must document their data processing activities, including data collection, storage, management, and transfers. This helps to ensure transparency and facilitates GDPR audits.

5. Appoint a Data Protection Officer (DPO)

A Data Protection Officer (DPO) is mandatory for organizations engaged in large-scale processing of personal data. A DPO is responsible for monitoring data protection compliance, providing advice on DPIAs, overseeing data breach response, conducting employee training, and ensuring transparency in data processing activities

6. Implement data protection by design and default

When designing the product or service, businesses must implement privacy measures to protect users personal data.

Businesses must limit data collection, delete data when it is no longer needed, ensure secure data storage, and use encryption where necessary.

7. Train employees

Businesses should train employees on the best practices of GDPR compliance, including secure data handling, timely response to data subject requests, data safety measures, breach notifications, and other GDPR compliance recommendations.

8. Respond promptly to data subject requests

GDPR grants individuals the right to access, rectify, delete, or transfer their data.

Businesses must provide individuals with the means to implement their rights, usually through email or online forms. Businesses must respond to data subject requests in 30 days.

9. Protect personal data against data breaches

Businesses must implement cybersecurity measures to prevent data breaches.

In case of a breach, businesses must notify supervisory authorities about data breaches within 72 hours.

10. Use a Consent Management Platform

Managing cookie consent and recording user choices manually can be complex.

Use a Consent Management Platform (CMP) like CookieScript to deliver customized cookie banners, record user consent logs, scan your website or app for cookies, and create and update a Privacy Policy for your website.

To avoid GDPR fines, use CookieScript CMP to ensure GDPR compliance.

CookieScript CMP has the following features:

 

Note that in 2025, CookieScript received the fourth badge in a row as the leader on G2, a peer review site, and became the best CMP on the market for a whole year! 

Register for free Show pricing plans

Frequently Asked Questions

Who enforces GDPR?

GDPR is enforced by national Data Protection Authorities (DPAs) in each European Economic Area (EEA) member state. These DPAs have powers to investigate complaints, perform audits, issue warnings, and impose fines. DPAs are coordinated by the European Data Protection Board (EDPB), which aims to ensure consistent enforcement across the EEA. Use CookieScript CMP to comply with the GDPR and avoid penalties.

Does the UK enforce GDPR?

Yes. The Information Commissioner's Office (ICO) is the UK's independent authority that enforces the UK GDPR and Data Protection Act 2018. It provides guidance to individuals and organizations on data privacy and has the power to investigate complaints, issue warnings, and impose fines. Use CookieScript CMP to comply with the UK GDPR and Data Protection Act 2018.

How to avoid GDPR fines?

To avoid GDPR fines, businesses must obtain lawful consent, implement a clear Privacy Policy, conduct DPIAs, keep a record of processing activities, appoint a data protection officer (DPO), implement data protection by design and default, train employees, and use a Consent Management Platform like CookieScript to deliver cookie banners and manage user consent.

What are the most targeted industries for GDPR violations?

The most targeted industries for GDPR violations include tech & social media, finance, healthcare, e-commerce & retail. Use CookieScript CMP to comply with the GDPR.

What are the biggest GDPR fines for non-compliance?

The top GDPR fines include Meta – €1.2 Billion (2023), Amazon – €746 Million (2021), TikTok – €530 Million (2025), Meta – €405 Million (2022), and again Meta – €390 Million (2023). CookieScript CMP can help you to comply with the GDPR and avoid fines.

What are the most common GDPR violations?

The most frequent GDPR violations include a lack of valid consent for data processing, transparency issues, inadequate security measures, data breaches, improper international data transfers, and failure to honor data subject rights. Use CookieScript CMP to comply with the GDPR and avoid fines.

ON THIS PAGE

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.