Skip to main content
v2026.1714 entries · CC-BY 4.0
CiteLicenceEN-GB
CASRAI

Editorial · CASRAI · Compliance and regulatory

GDPR Enforcement 2025: How DPAs Applied the Rules

Compliance and regulatory

A neutral, aggregate recap of how European data-protection authorities applied the GDPR through 2025 — the recurring themes in enforcement, the role of the one-stop-shop and EDPB coordination, and the principles regulators emphasised, without naming specific cases as accusations.

ByCASRAI Editorial Board
Published 22 Jun 2026· 5 minute read

The EU General Data Protection Regulation (GDPR) has been in force since 2018, and its enforcement is carried out by independent national data-protection authorities (DPAs) across the EU and EEA, coordinated through the European Data Protection Board (EDPB). This article offers a neutral, aggregate recap of the themes that characterised GDPR enforcement through 2025. It deliberately discusses patterns and principles rather than naming particular organisations or framing specific outcomes as accusations, and it is not legal advice.

How GDPR enforcement is structured

GDPR is enforced primarily by national DPAs, each supervising organisations within its jurisdiction. For cross-border processing, the regulation uses a one-stop-shop mechanism: a lead supervisory authority, usually where the organisation has its main establishment, coordinates with other concerned authorities. Where authorities disagree, the EDPB can issue binding decisions to ensure consistent application. For the underlying framework, see our overview of the GDPR.

This structure matters because it shapes how enforcement unfolds: many significant cross-border matters involve coordination between a lead authority and others, and EDPB consistency mechanisms help align interpretation across countries.

Recurring themes in enforcement

Across the body of enforcement activity, several themes recur as areas where authorities have focused. Described in aggregate, these include:

  • Lawful basis and transparency: whether organisations correctly identify and communicate the legal basis for processing, and whether privacy information is clear and accessible.
  • Consent: whether consent, where relied upon, is freely given, specific, informed and unambiguous, and as easy to withdraw as to give.
  • Data-subject rights: how organisations handle requests for access, erasure, rectification and objection within required timeframes.
  • Security and breach handling: whether appropriate technical and organisational measures are in place, and whether breaches are notified appropriately. See our explainer on data breaches.
  • International transfers: the safeguards applied when personal data move outside the EEA.

These themes reflect the GDPR’s core principles — lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability — and enforcement activity tends to cluster around them.

The role of the EDPB and consistency

A defining feature of recent years has been the EDPB’s role in promoting consistent interpretation. Through guidelines, opinions and, where necessary, binding decisions in dispute-resolution procedures, the Board has helped align how authorities approach questions such as the calculation of administrative fines and the assessment of cross-border cases. The EDPB has, for example, issued guidance intended to harmonise the methodology authorities use when determining the level of fines, supporting a more consistent approach across the bloc.

This coordination is significant for organisations operating in multiple member states, because it reduces — though does not eliminate — divergence in how the same rules are applied in different countries.

Tools beyond fines

Administrative fines attract the most attention, but DPAs have a wider toolkit. Authorities can issue warnings and reprimands, order an organisation to bring processing into compliance, impose temporary or definitive limitations on processing (including bans), and order the rectification or erasure of data. In many matters, corrective orders — requiring changes to how data are handled — are as consequential as monetary penalties, because they directly alter business practices. Describing enforcement only in terms of fine totals therefore understates the range of regulatory action.

What organisations took from it

In aggregate, the enforcement picture through 2025 reinforced the importance of demonstrable accountability: maintaining records of processing, conducting data-protection impact assessments where required, ensuring a valid lawful basis, honouring data-subject rights promptly, and being able to evidence appropriate security measures. The accountability principle — being able to show compliance, not merely assert it — runs through the regulation and through how authorities assess organisations.

For those seeking to understand the rules themselves rather than commentary on outcomes, the authoritative sources are the regulation’s own text, national DPA guidance, and EDPB materials published at edpb.europa.eu. Neutral definitions of related privacy terms are collected in our standards dictionary.

Reading enforcement data carefully

A final neutral note concerns how enforcement statistics should be read. Aggregate figures — numbers of decisions, total penalty amounts, or counts of complaints — circulate widely, but they require context. A high total in one period may reflect a small number of large matters rather than a broad pattern; a low total may reflect a focus on corrective orders rather than fines. Differences between member states can stem from caseload, the nature of the organisations established in a jurisdiction, or procedural timing rather than from differing strictness. For this reason, responsible analysis treats enforcement data as one input among several and avoids inferring conclusions about any individual organisation from aggregate trends. The constructive takeaway for organisations is forward-looking: align practices with the regulation’s principles and maintain the documentation needed to demonstrate that alignment.

The accountability principle in focus

If a single idea characterises how authorities approach assessment, it is accountability. The GDPR does not merely require organisations to comply; it requires them to be able to demonstrate compliance. In practice this means maintaining a record of processing activities, documenting the lawful basis for each processing purpose, conducting and recording data-protection impact assessments for higher-risk processing, and keeping evidence of the technical and organisational measures in place. When authorities examine an organisation, the ability to produce this documentation is often as important as the underlying practices themselves.

Accountability also shapes governance. Many organisations are required to designate a data-protection officer, and the regulation encourages structured governance such as data-protection-by-design and by-default, where privacy considerations are built into systems from the outset. These structural expectations recur across enforcement themes because they underpin every other obligation — a lawful basis, honoured rights and adequate security all depend on having the governance to manage them.

A neutral bottom line

GDPR enforcement in 2025 is best understood not through individual headline cases but through the patterns: sustained attention to lawful basis, transparency, consent, data-subject rights, security and international transfers; growing consistency driven by the EDPB; and a corrective toolkit that extends well beyond fines. The regulation’s principles remained the constant reference point against which authorities assessed organisations.

Related editorial in this domain

More on Compliance and regulatory

22 Jun 2026

EU CTR and CTIS Now Mandatory: Harmonised Trials

The EU Clinical Trials Regulation is now in full force, with the Clinical Trials Information System the mandatory single entry point for trial applications across the EU and EEA. This explainer describes harmonised authorisation, the role of CTIS and the end of the transition period.

22 Jun 2026

ICH E6(R3) Good Clinical Practice: GCP Modernised

ICH E6(R3) modernises the international Good Clinical Practice guideline around quality-by-design, risk-based thinking and flexibility for diverse trial designs and technologies. This explainer describes what the revised GCP guideline emphasises and how it differs in spirit from the earlier E6(R2).

22 Jun 2026

DSCSA Enhanced Drug Traceability: A Process Explainer

The Drug Supply Chain Security Act’s enhanced traceability requirements move the US pharmaceutical supply chain toward serialised, electronic, interoperable tracing. With phased stabilisation deadlines after November 2024, this explainer describes serialisation, interoperability and how the unit-level tracing model works.

Referenced across the research world

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo
  • ORCID logo
  • Crossref logo

View CASRAI adoption →