The GDPR relies on a network of independent public bodies to monitor and enforce data protection law across the European Economic Area. These supervisory authorities, commonly called Data Protection Authorities (DPAs), hold investigative, corrective, and advisory powers that directly affect every organisation processing personal data within their jurisdiction.
Each EU member state must designate at least one supervisory authority under Article 51 GDPR. With 27 EU member states plus Iceland, Liechtenstein, and Norway in the EEA, the network currently comprises over 30 DPAs. Some member states, such as Germany, maintain multiple authorities at the federal and state level. Between May 2018 and January 2026, these authorities collectively imposed EUR 7.1 billion in GDPR fines, demonstrating that enforcement is not theoretical.
What Is a Supervisory Authority Under GDPR?
Articles 51-59 of the GDPR establish the legal framework for supervisory authorities. Article 51 requires each member state to provide for one or more independent public authorities responsible for monitoring the application of the regulation. Independence is a structural requirement: DPAs must be free from external influence, adequately funded, and staffed with qualified personnel.
What Powers Do Supervisory Authorities Have?
Article 58 divides DPA powers into three categories. Investigative powers (Article 58(1)) include ordering controllers and processors to provide information, carrying out audits, obtaining access to premises, and reviewing certifications. Corrective powers (Article 58(2)) include issuing warnings, reprimands, and orders to comply, imposing temporary or definitive bans on processing, ordering data rectification or erasure, and imposing administrative fines under Article 83.
Advisory and authorisation powers (Article 58(3)) cover issuing opinions on legislative proposals, approving binding corporate rules, and authorising contractual clauses for international data transfers.
The fine ceiling is EUR 20 million or 4% of worldwide annual turnover for the most serious infringements, including violations of the data processing principles, data subject rights, and international transfer rules. The CJEU confirmed that “worldwide annual turnover” refers to the entire corporate group, not just the infringing subsidiary, aligning GDPR liability with EU competition law concepts.
How Does the One-Stop-Shop Mechanism Work?
The one-stop-shop mechanism (Articles 56 and 60) allows organisations engaged in cross-border processing to deal primarily with a single Lead Supervisory Authority (LSA). The LSA is the DPA in the member state where the organisation has its main establishment, meaning the place where decisions about the purposes and means of processing are taken.
When a complaint involves cross-border processing, the LSA coordinates with Concerned Supervisory Authorities in other affected member states. The LSA prepares a draft decision and shares it with all concerned DPAs. If no objections are raised, the decision is adopted. If disagreements arise, the case may escalate to the EDPB’s dispute resolution mechanism under Article 65.
In June 2025, the Council of the EU and the European Parliament reached a provisional agreement on a GDPR Procedural Regulation to harmonise cross-border enforcement procedures. This reform addresses persistent criticism that the one-stop-shop mechanism allowed lengthy delays, particularly in cases routed through Ireland’s Data Protection Commission, which handles most big tech complaints due to corporate headquarters locations.
The EDPB and Cross-Border Cooperation
The European Data Protection Board (EDPB), established under Article 68, is the successor to the Article 29 Working Party. It comprises the heads of each national DPA and the European Data Protection Supervisor. The EDPB ensures consistent application of the GDPR by issuing binding decisions, publishing guidelines, and coordinating enforcement across borders.
Coordinated Enforcement Actions Since 2022
Since 2022, the EDPB has operated a Coordinated Enforcement Framework (CEF) that selects an annual topic for EU-wide investigation. Each participating DPA investigates the same topic within its jurisdiction, and the EDPB aggregates the findings into a public report.
The CEF has addressed four topics to date. In 2022, it examined cloud-based services in the public sector. In 2023, it focused on the designation and position of DPOs, with 25 DPAs collecting over 17,000 responses and identifying seven areas of concern. In 2024, 30 DPAs investigated right of access compliance, finding that two-thirds of controllers achieved average or high compliance but that many lacked documented internal procedures. In 2025, 32 DPAs examined the right to erasure.
The 2026 CEF focuses on transparency and information obligations under Articles 12-14, with 25 DPAs participating. Organisations should expect scrutiny of their privacy notices, layered disclosures, and the clarity of their data subject communications.
Key Enforcement Statistics
The DLA Piper survey covering January 2025 to January 2026 recorded several notable trends. Annual fines reached approximately EUR 1.2 billion, matching the previous year and reversing a prior downward trend. Average daily breach notifications rose 22% year-on-year, from 363 to 443 per day, breaking a multi-year plateau.
Ireland’s Data Protection Commission accounted for over half of all cumulative fines, reaching EUR 4.04 billion since May 2018. The largest single fine in 2025 was EUR 530 million against TikTok’s parent company ByteDance for unlawful international data transfers. Other significant penalties included a EUR 200 million fine against Google LLC by the French CNIL and fines totalling EUR 125 million against Google Ireland.
How to Interact with Your Supervisory Authority
Organisations interact with their DPA in several mandatory and voluntary contexts. Mandatory interactions include breach notification, prior consultation for high-risk processing, and responding to investigations. Voluntary interactions include seeking guidance on compliance questions and submitting codes of conduct for approval.
When Must You Notify the DPA?
Article 33 requires controllers to notify their supervisory authority of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms. The notification must describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
Processors must notify the controller without undue delay after becoming aware of a breach (Article 33(2)). The controller then decides whether to notify the DPA. Failure to notify within 72 hours requires an explanation of the delay.
Article 36 requires prior consultation with the DPA when a Data Protection Impact Assessment indicates that processing would result in a high risk that the controller cannot sufficiently mitigate. The DPA must respond within eight weeks, extendable by six weeks for complex cases.
Organisations should also designate a Data Protection Officer where required by Article 37 and communicate the DPO’s contact details to the supervisory authority. The DPO serves as the primary liaison with the DPA on all matters related to processing.
Building a Constructive Relationship with Your DPA
Maintaining a constructive relationship with your supervisory authority reduces enforcement risk. DPAs generally respond more favourably to organisations that cooperate during investigations, maintain thorough compliance documentation, and demonstrate proactive measures to address identified risks.
Legal disclaimer: This article provides general information about GDPR supervisory authorities. It does not constitute legal advice. Organisations should consult qualified legal counsel regarding their specific regulatory obligations.
Conclusion
Supervisory authorities are the enforcement backbone of the GDPR, wielding investigative, corrective, and advisory powers across more than 30 jurisdictions. The EDPB coordinates their efforts through binding guidelines, dispute resolution, and annual coordinated enforcement actions. With EUR 7.1 billion in cumulative fines, daily breach notifications exceeding 400, and the 2026 CEF targeting transparency compliance, organisations must treat their relationship with their supervisory authority as a core element of their data protection strategy rather than a remote regulatory formality.
Last reviewed: March 2026
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope
