European Union — Enforcement & Penalties

The General Data Protection Regulation establishes a two-tier administrative fine framework that empowers each supervisory authority to impose fines up to €20 million or 4 % of total worldwide annual turnover (whichever is higher) for the most serious infringements, and up to €10 million or 2 % of turnover for a defined set of less serious violations. The fine regime is set out in Article 83 GDPR, which mandates that every fine must be "effective, proportionate and dissuasive" in each individual case (Art. 83(1)).

Two-tier structure

Article 83(4)–(6) GDPR categorizes infringements by substantive gravity. The lower tier (Art. 83(4)) — €10 million or 2 % of turnover — applies to infringements of controller and processor obligations (Arts. 8, 11, 25–39, 42, 43), processor obligations under Art. 28, certification-body obligations under Arts. 42 and 43, and monitoring-body obligations under Art. 41. The higher tier (Art. 83(5)) — €20 million or 4 % of turnover — covers violations of the basic processing principles (Art. 5), lawful bases for processing (Art. 6), special-category data safeguards (Art. 9), data-subject rights (Arts. 12–22), and international-transfer rules (Arts. 44–49). Infringement of a supervisory-authority order under Art. 58(2) also triggers the higher tier (Art. 83(6)).

Turnover calculation and the "undertaking" concept

The Court of Justice of the European Union held in Deutsche Wohnen (C-807/21, 5 December 2023) and ILVA (C-383/23, 13 February 2025) that the statutory maximum is calculated on the basis of the total worldwide annual turnover of the "undertaking" within the meaning of EU competition law (Arts. 101 and 102 TFEU), not the turnover of the legal entity that is the controller. An undertaking comprises any entity engaged in economic activity, irrespective of legal form, and may include a parent company and its subsidiaries acting as a single economic unit. The Court ruled that only a fine which takes into account the actual or material economic capacity of the addressee can satisfy the Art. 83(1) requirement that the fine be effective, proportionate, and dissuasive.

Fault requirement

The CJEU confirmed in Deutsche Wohnen and Nacionalinis visuomenės sveikatos centras (C-683/21, 5 December 2023) that a supervisory authority may impose an administrative fine under Art. 83 only where the controller or processor intentionally or negligently committed the infringement. Although fault is not listed among the threshold conditions in Art. 83(4)–(6), it appears as a mandatory consideration in Art. 83(2)(b) when deciding on the amount of the fine, and the Court held that the structure and purpose of GDPR preclude strict liability.

Corrective powers under Art. 58(2)

Article 58(2) GDPR grants supervisory authorities a menu of corrective powers, including warnings, reprimands, orders to bring processing into compliance, temporary or definitive bans on processing, suspension of data flows to third countries, and the power to impose an administrative fine "in addition to, or instead of" the other measures listed (Art. 58(2)(i)). Article 83(2) mirrors this language: administrative fines "shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of" the other Art. 58(2) measures. A fine is therefore one corrective tool among several, and the supervisory authority retains discretion to combine a fine with an order to cease processing or a compliance deadline.

Art. 83(2) factors

When deciding on the amount of the fine, the supervisory authority must give due regard to a non-exhaustive list of factors set out in Art. 83(2): the nature, gravity, and duration of the infringement; the intentional or negligent character; action taken to mitigate damage; degree of responsibility (technical and organizational measures implemented); previous infringements; degree of cooperation with the supervisory authority; categories of personal data affected; how the authority became aware of the infringement; compliance with prior orders; approved codes of conduct or certification mechanisms; and any other aggravating or mitigating circumstances. The European Data Protection Board's Guidelines 04/2022 on the calculation of administrative fines under the GDPR (adopted 24 May 2023) provide a harmonized five-step methodology: (1) identify sanctionable conduct and infringements; (2) determine a starting point based on the categorization under Art. 83(4)–(6), the seriousness of the infringement, and the turnover of the undertaking; (3) adjust for aggravating or mitigating factors; (4) verify legal maximums; (5) confirm the final amount meets the requirements of effectiveness, dissuasiveness, and proportionality.

Member-State discretion and public authorities

Article 83(7) permits each Member State to decide whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State. Article 83(8) allows Member States to lay down the rules on whether and how courts may impose fines under GDPR, and Art. 83(9) confirms that Member States may provide for national rules specifying when a fine may be imposed for infringements not already subject to fines under Art. 83(4)–(6). These provisions are the sole openings for national divergence in the fine regime; the Court has held that Member States may not add substantive conditions — such as requiring prior attribution of the infringement to an identified natural person — beyond those set out in GDPR itself.

Source: Regulation (EU) 2016/679 (GDPR), Articles 58, 83 Source: CJEU, Deutsche Wohnen, C-807/21, EU:C:2023:950 Source: CJEU, ILVA, C-383/23, EU:C:2025:84 Source: CJEU, Nacionalinis visuomenės sveikatos centras, C-683/21, EU:C:2023:949 Source: EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Version 2.1

Article 58(1) GDPR equips each supervisory authority with a comprehensive set of investigative powers to examine whether a controller or processor is complying with the Regulation. These powers result directly from GDPR and do not require implementation by national law, though Member State procedural law governs the exercise of certain powers—notably access to premises under Art. 58(1)(f). The investigative toolkit is the foundation of enforcement: before a supervisory authority can impose a fine or order corrective action under Art. 58(2), it must first gather the evidence, and Art. 58(1) specifies the means by which it does so.

Six investigative powers under Art. 58(1)

Article 58(1) lists six distinct powers:

(a) Information orders. The supervisory authority may order the controller, the processor, and—where applicable—the controller's or processor's representative to provide any information the authority requires for the performance of its tasks. This power is not limited to documents already in existence; it extends to answers to specific questions and explanations of processing operations. The authority may specify the form (written, electronic, oral testimony) and deadline for the response.

(b) Data protection audits. The supervisory authority may carry out investigations in the form of data protection audits. An audit is a structured review of processing activities, technical and organisational measures, documentation (Records of Processing Activities under Art. 30, Data Protection Impact Assessments under Art. 35), security safeguards, and compliance with data-subject-rights requests. Audits may be triggered by a complaint, a data-breach notification, the authority's own monitoring activity, or coordination with other supervisory authorities under Art. 62 (joint operations).

(c) Review of certifications. The supervisory authority may carry out a review of certifications issued pursuant to Art. 42(7) GDPR. This power allows the authority to verify that a controller or processor holding a GDPR certification (such as a European Data Protection Seal) continues to meet the certification criteria and to investigate complaints alleging that a certified entity is not in compliance.

(d) Notification of alleged infringement. The supervisory authority may notify the controller or processor of an alleged infringement of GDPR. This is a procedural step that formally opens an investigation and triggers the controller's or processor's obligation to cooperate under Art. 31 GDPR. The notification typically specifies the provision(s) allegedly infringed and invites the controller or processor to submit observations.

(e) Access to personal data and information. The supervisory authority may obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks. "Information" includes processing documentation, contracts with processors and sub-processors, records of consent, logs of data-subject-rights requests, breach records, internal policies, training materials, and correspondence with data subjects. The authority may request access in situ or require the controller or processor to transmit copies. Refusal to provide access is itself an infringement: Art. 83(5)(e) GDPR subjects failure to provide access or cooperation under Art. 31 to an administrative fine of up to €20 million or 4 % of total worldwide annual turnover, whichever is higher.

(f) Access to premises and processing equipment. The supervisory authority may obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law. This power enables on-site inspections of offices, data centres, servers, workstations, and mobile devices. Because access to premises may engage constitutional protections (inviolability of the home, rights of defence), Member State procedural law typically requires that the inspection be authorised by a court order or conducted with the consent of the controller or processor when the premises are constitutionally protected. The European Data Protection Board's internal document on supervisory-authority duties (EDPB Document 02/2021) confirms that national procedural rules apply to the exercise of this power, subject to the principles of equivalence and effectiveness—national law must not make it excessively difficult or impossible to exercise the rights conferred by GDPR.

Cooperation obligation and consequences of non-compliance

Article 31 GDPR requires the controller, the processor, and—where applicable—the representative to cooperate with the supervisory authority upon request. This obligation applies throughout the exercise of Art. 58(1) investigative powers. Failure to cooperate—such as refusing to answer questions, withholding documents, obstructing an audit, or denying access to premises—is an infringement punishable under Art. 83(5)(e) with a fine of up to €20 million or 4 % of total worldwide annual turnover. In December 2021 the Polish supervisory authority fined Pactum Poland Sp. z o.o. for lack of cooperation after the company accepted one information request but failed to reply and refused to accept three subsequent requests, demonstrating unwillingness to cooperate under Art. 31 and Art. 58(1)(e).

Procedural safeguards and judicial review

Article 58(4) GDPR provides that the exercise of the powers conferred on the supervisory authority pursuant to Art. 58 shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter of Fundamental Rights. These safeguards include the right to be heard, the right to access the file, the principle that administrative decisions must be reasoned, and the right to an effective judicial remedy under Art. 78 GDPR. The Court of Justice of the European Union has held that these safeguards do not permit a Member State to add substantive conditions beyond those in GDPR—for example, a national rule requiring that an infringement be attributed to an identified natural person before an investigation may proceed would undermine the effectiveness of Art. 58(1).

Use in cross-border investigations and joint operations

When a supervisory authority is the lead supervisory authority for a cross-border processing case under Art. 56 GDPR, it exercises its Art. 58(1) investigative powers in coordination with concerned supervisory authorities under Art. 60. Article 62 GDPR authorises joint operations: supervisory authorities may conduct joint investigations and enforcement actions, and members or staff of the supervisory authority of one Member State may exercise investigative powers on the territory of another Member State under the direction and in the presence of members or staff of the host supervisory authority. The European Data Protection Board has established a Support Pool of Experts to facilitate the matching of specialised expertise (forensic IT analysis, cloud-architecture assessment, advertising-technology tracing) with operational needs during complex investigations.

Recital 129 and the objective of consistent enforcement

Recital 129 GDPR explains that supervisory authorities should have "the same tasks and effective powers, including powers of investigation, corrective powers and sanctions" in each Member State in order to ensure consistent monitoring and enforcement of GDPR throughout the Union. The recital emphasises that these powers include the power to bring infringements to the attention of judicial authorities and engage in legal proceedings, and that such powers should include the power to impose a temporary or definitive limitation, including a ban, on processing. The grant of investigative powers under Art. 58(1) is therefore not discretionary: each supervisory authority shall have all of the listed investigative powers, and the exercise of those powers is a core element of the supervisory authority's independence under Arts. 51–54 GDPR.

Source: Regulation (EU) 2016/679 (GDPR), Articles 31, 58, 83 Source: EDPB, Internal Document 02/2021 on SAs duties in relation to alleged GDPR infringements Source: Polish DPA enforcement notice, Pactum Poland Sp. z o.o., 1 December 2021

Article 82 GDPR establishes a private right to compensation that runs parallel to the administrative enforcement regime under Arts. 58 and 83. Any person who has suffered material or non-material damage as a result of an infringement of GDPR has the right to receive compensation from the controller or processor for the damage suffered (Art. 82(1)). This private enforcement mechanism allows data subjects to bring civil claims directly in national courts, and the compensation regime has generated a substantial body of case law from the Court of Justice of the European Union clarifying the conditions for liability, the burden of proof, the scope of compensable damage, and the methodology for quantifying awards.

Three cumulative conditions for a right to compensation

The CJEU held in Österreichische Post (C-300/21, 4 May 2023) that Art. 82(1) establishes three cumulative conditions that a data subject must satisfy to obtain compensation: (1) an infringement of GDPR, (2) material or non-material damage actually suffered by the data subject, and (3) a causal link between the infringement and the damage. The Court emphasized that a mere infringement of GDPR is not, by itself, sufficient to confer a right to compensation—the data subject must demonstrate that he or she has actually suffered damage as a consequence of the infringement. This principle distinguishes the private compensation regime under Art. 82 from the administrative-fine regime under Art. 83 (which punishes the infringement itself) and from the judicial-remedy rights under Arts. 77 and 78 (which allow a data subject to complain to a supervisory authority or challenge a supervisory authority's decision in court regardless of whether damage has been suffered).

Concept of 'damage' — no de minimis threshold

Recital 146 GDPR provides that "the concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation." The CJEU ruled in Österreichische Post (C-300/21, paragraph 51) that Art. 82 GDPR precludes a national rule or practice which makes compensation for non-material damage subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness—such as a "threshold of seriousness" or a "de minimis threshold." The Court held that imposing a materiality threshold would be contrary to the broad conception of damage chosen by the EU legislature and would undermine the effectiveness of the right to compensation. The ruling has been consistently reaffirmed in subsequent CJEU decisions, including Natsionalna agentsia za prihodite (C-340/21, 14 December 2023), ZQ v Medizinischer Dienst (C-667/21, 21 December 2023), GP v juris GmbH (C-741/21, 11 April 2024), and IP v Quirin Privatbank (C-655/23, 4 September 2025).

Non-material damage — fear of misuse, loss of control, and evidentiary burden

Non-material damage under Art. 82 includes a wide range of harms. Recital 85 GDPR identifies illustrative categories: "loss of control over personal data," "limitation of rights," "discrimination," "identity theft or fraud," "financial loss," "damage to reputation," and "loss of confidentiality of personal data protected by professional secrecy." The CJEU has confirmed that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties can, in itself, constitute non-material damage, provided that the fear is well-founded and the national court verifies that such fear can be deemed to exist in the specific circumstances of the case (Natsionalna agentsia za prihodite, C-340/21, paragraph 46). The Court also confirmed in GP v juris GmbH (C-741/21, paragraph 49) that loss of control over personal data as a result of a data breach constitutes non-material damage, provided the data subject can convincingly demonstrate that such loss of control occurred. However, a purely hypothetical risk of unspecified future harm where no third party has become aware of the personal data does not, by itself, constitute compensable damage (PS (Incorrect address), C-590/22, 20 June 2024, paragraph 35). The data subject bears the burden of proving the existence of damage and the causal link between the infringement and the damage; the CJEU has held that the data subject must show that the consequences of the infringement constitute damage that differs from the mere infringement of GDPR provisions.

Liability regime — fault-based with reversed burden of proof

Article 82 establishes a fault-based liability regime with a reversal of the burden of proof. The CJEU held in ZQ v Medizinischer Dienst (C-667/21, paragraph 38) and GP v juris GmbH (C-741/21, paragraph 41) that liability under Art. 82 requires the existence of a fault committed by the controller or processor, but the fault is presumed and the controller or processor bears the burden of proving that it is not in any way responsible for the event giving rise to the damage. This reversal is codified in Art. 82(3): "A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage." The CJEU has clarified that a controller cannot exempt itself from liability solely by proving that the damage resulted from unauthorized disclosure by a third party (such as a cyberattack) or from the misconduct of an employee or other person acting under the controller's authority (Art. 29 GDPR). To avoid liability, the controller must prove that it complied with all applicable GDPR obligations—including the obligations to implement appropriate technical and organizational measures under Arts. 24, 25, and 32—and that the damage was caused by an event entirely outside the controller's sphere of responsibility.

Quantification of damages — national law subject to effectiveness and equivalence

Article 82 GDPR does not contain any provision defining the rules for the assessment of the amount of damages. The CJEU held in Österreichische Post (C-300/21, paragraph 58) that national courts must apply the domestic rules of each Member State relating to the extent of financial compensation, provided that the principles of effectiveness and equivalence of EU law are complied with. The principle of effectiveness requires that national rules must not make it impossible or excessively difficult for a data subject to exercise the right to compensation. The principle of equivalence requires that claims under Art. 82 GDPR must not be treated less favorably than similar domestic claims. The CJEU emphasized in ZQ v Medizinischer Dienst (C-667/21, paragraph 45) and IP v Quirin Privatbank (C-655/23, paragraph 57) that Art. 82 has an exclusively compensatory function, not a punitive or deterrent function. Consequently, the degree of fault (intentional versus negligent) and the severity of the infringement are not relevant when determining the amount of damages, and the criteria laid down for administrative fines in Art. 83 GDPR do not apply to the calculation of compensation under Art. 82. Damages must ensure full and effective compensation for the harm actually suffered, but punitive damages and awards that exceed full compensation are prohibited. The CJEU confirmed in IP v Quirin Privatbank (C-655/23, paragraph 70) that compensation payable under Art. 82 cannot be awarded, in part or in full, in the form of a prohibitory injunction, since the right to compensation fulfills an exclusively compensatory function whereas the purpose of a prohibitory injunction is preventive.

Joint and several liability; processor's direct liability

Article 82(4) GDPR provides that where more than one controller or processor, or both a controller and a processor, are involved in the same processing and are responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject. Article 82(5) permits a controller or processor who has paid full compensation to recover from other controllers or processors involved in the same processing the part of the compensation corresponding to their respective share of responsibility, in accordance with the conditions set out in Art. 82(4). This joint-and-several-liability regime ensures that a data subject can recover the full amount of damages from any one of the responsible parties and is not forced to pursue multiple defendants to piece together compensation.

Relationship with administrative enforcement

The private right to compensation under Art. 82 operates independently of the administrative enforcement powers conferred on supervisory authorities under Arts. 58 and 83. Recital 146 states that "the controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation," and that "the concept of damage should be broadly interpreted." A supervisory authority's decision to impose (or not to impose) an administrative fine on a controller for a GDPR infringement does not affect the data subject's parallel right to bring a civil claim for compensation under Art. 82. The two regimes serve different purposes: administrative fines under Art. 83 are designed to be effective, proportionate, and dissuasive, and the fine amount is informed by the factors in Art. 83(2) (including the degree of fault and the seriousness of the infringement), whereas compensation under Art. 82 is purely compensatory and is measured by the actual damage suffered by the data subject.

Source: Regulation (EU) 2016/679 (GDPR), Article 82 Source: CJEU, Österreichische Post (Non-material damage in connection with the processing of personal data), C-300/21, EU:C:2023:370 Source: CJEU, Natsionalna agentsia za prihodite, C-340/21, EU:C:2023:986 Source: CJEU, ZQ v Medizinischer Dienst, C-667/21, EU:C:2023:1019 Source: CJEU, GP v juris GmbH, C-741/21, EU:C:2024:296 Source: CJEU, IP v Quirin Privatbank, C-655/23, EU:C:2025:655 Source: CJEU, PS (Incorrect address), C-590/22, EU:C:2024:536

Article 58(2) GDPR grants each supervisory authority a comprehensive toolkit of nine distinct corrective powers that it may deploy to remedy GDPR infringements. These powers range from warnings and reprimands to binding orders that halt processing entirely, and they operate alongside—or as an alternative to—the administrative fines imposed under Article 83. The corrective-powers menu is the core enforcement mechanism of GDPR: every enforcement action by a supervisory authority uses one or more of these powers, and practitioners defending or negotiating enforcement must understand which measures the authority can and will impose.

The nine corrective powers under Art. 58(2) GDPR

Article 58(2) provides that each supervisory authority shall have all of the following corrective powers:

(a) Issue warnings. The supervisory authority may issue a warning to a controller or processor that intended processing operations are likely to infringe GDPR. A warning is prospective and precautionary—it addresses planned processing before it occurs. Warnings are non-binding but create a formal record that the authority has flagged the risk.

(b) Issue reprimands. The supervisory authority may issue a reprimand to a controller or processor where processing operations have infringed GDPR. A reprimand is retrospective and declaratory—it formally records that an infringement has occurred. Unlike a warning, a reprimand addresses completed conduct. Reprimands carry no monetary penalty and impose no future obligations beyond the declaration of non-compliance.

(c) Order compliance with data-subject-rights requests. The supervisory authority may order the controller or processor to comply with a data subject's requests to exercise rights under Chapter III (Arts. 12–22). This power is the enforcement backstop for data-subject rights: when a controller refuses or fails to respond to an access request (Art. 15), erasure request (Art. 17), or objection (Art. 21), the data subject may complain to the supervisory authority under Art. 77, and the authority may order the controller to comply.

(d) Order processing into compliance with GDPR. The supervisory authority may order the controller or processor to bring processing operations into compliance with GDPR, where appropriate in a specified manner and within a specified period. This is the general compliance order—it applies to any substantive GDPR obligation (lawful basis under Art. 6, transparency under Arts. 12–14, security under Art. 32, processor contracts under Art. 28, records of processing activities under Art. 30, data protection impact assessments under Art. 35, etc.). The authority specifies the violation, the corrective action required, and the deadline. Failure to comply with an order under Art. 58(2) is itself an infringement subject to a fine of up to €20 million or 4 % of total worldwide annual turnover under Art. 83(6).

(e) Order communication of a personal data breach to data subjects. The supervisory authority may order the controller or processor to communicate a personal data breach to the data subject in accordance with Art. 34 GDPR. This power applies when the controller has failed to notify data subjects of a breach that is likely to result in a high risk to their rights and freedoms.

(f) Impose temporary or definitive processing bans. The supervisory authority may impose a temporary or definitive limitation, including a ban, on processing. This is the most intrusive corrective power: the authority can order a controller to cease processing entirely, either for a defined period (temporary ban, to allow time for compliance) or permanently (definitive ban, when the processing cannot be brought into compliance). A processing ban may be total (all processing activities) or partial (specific processing operations, specific categories of data, or specific purposes). The CJEU held in Facebook Ireland and Schrems (C-311/18, 16 July 2020, paragraph 112) that the supervisory authority must determine which action is appropriate and necessary, taking into account all the circumstances of the specific case and executing its responsibility to ensure GDPR is fully enforced.

(g) Suspend data flows to third countries or international organizations. The supervisory authority may order the suspension of data flows to a recipient in a third country or to an international organization. This power enforces Chapter V (Arts. 44–49, international transfers). The authority may suspend transfers when it determines that the transfer mechanism (Standard Contractual Clauses, Binding Corporate Rules, adequacy decision, or derogation) does not provide adequate protection or has been breached.

(h) Withdraw or suspend certifications and order certification bodies to act. The supervisory authority may withdraw certification or order the certification body to withdraw certification issued pursuant to Arts. 42 and 43, or may order the certification body not to issue certification if the requirements for the certification are not or are no longer met. This power polices the GDPR certification regime: if a controller or processor holds a data-protection seal and the authority determines that the certified entity no longer meets the certification criteria, the authority may revoke the certification or order the certification body to do so.

(i) Impose an administrative fine pursuant to Art. 83. The supervisory authority may impose an administrative fine in addition to, or instead of, the other measures listed in Art. 58(2)(a)–(h), depending on the circumstances of each individual case. Fines are addressed separately in Art. 83 and in the guide section on administrative fines. The key structural point is that a fine is one corrective power among nine—Art. 83(2) mirrors the language of Art. 58(2), providing that fines "shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of" the other corrective measures. A supervisory authority may issue a reprimand without a fine, impose a compliance order with a deadline and reserve the right to fine if the deadline is missed, or combine a fine with a processing ban.

**Discretion, limits, and the duty to act: TR v Land Hessen (C-768/21)**

The CJEU ruled in TR v Land Hessen (C-768/21, 26 September 2024) that supervisory authorities possess discretion as to the manner in which they remedy an infringement, but this discretion is limited by the need to ensure consistent and high-level protection of personal data through strong enforcement. The Court held (paragraphs 37–38) that "the GDPR leaves the supervisory authority a discretion as to the manner in which it must remedy the shortcoming found, since Article 58(2) thereof confers on that authority the power to adopt various corrective measures," and that "the supervisory authority must determine which action is appropriate and necessary, and must do so taking into consideration all the circumstances of the specific case." However, the Court emphasized that this discretion is "limited by the need to ensure a consistent and high level of protection of personal data through strong enforcement of the rules, as is apparent from recitals 7 and 10 of the GDPR." The authority is not required to impose a fine in every case where an infringement is found, but it must react appropriately to remedy the infringement. The CJEU confirmed in SCHUFA Holding (C-26/22 and C-64/22, 7 December 2023, paragraph 57) that when a supervisory authority finds an infringement following investigation of a complaint, it is required to react appropriately to remedy the shortcoming, and each measure should be appropriate, necessary, and proportionate in view of ensuring compliance with GDPR.

Combining corrective measures and enforcement against processors

Article 58(2) applies to both controllers and processors. Processors are directly subject to corrective powers for violations of their own obligations under Arts. 28, 32, and 33 (processor contracts, security, breach notification to the controller). Supervisory authorities routinely combine multiple corrective powers in a single enforcement decision—for example, a reprimand for the infringement, an order under Art. 58(2)(d) to bring processing into compliance within a specified period, and an administrative fine under Art. 58(2)(i).

Recital 129 and uniform powers

Recital 129 GDPR provides that "in order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have in each Member State the same tasks and effective powers, including powers of investigation, corrective powers and sanctions." The grant of corrective powers under Art. 58(2) is therefore mandatory and uniform—each supervisory authority shall have all nine corrective powers, and Member States may not restrict or dilute those powers through national law (except for the limited public-authority carve-out in Art. 83(7) and the Member State option to provide for court-imposed fines under Art. 83(9) where the national legal system does not allow administrative fines).

Source: Regulation (EU) 2016/679 (GDPR), Articles 58, 83 Source: CJEU, TR v Land Hessen (Obligation to act by the data protection authority), C-768/21, EU:C:2024:785 Source: CJEU, SCHUFA Holding (Discharge from remaining debts), C-26/22 and C-64/22, EU:C:2023:958 Source: CJEU, Facebook Ireland and Schrems, C-311/18, EU:C:2020:559

GDPR establishes three distinct procedural rights that allow data subjects to enforce their rights independently or in combination: the right to lodge a complaint with a supervisory authority (Art. 77), the right to an effective judicial remedy against a supervisory authority (Art. 78), and the right to an effective judicial remedy against a controller or processor (Art. 79). These remedies operate in parallel to the private right to compensation under Art. 82 and are foundational to the enforcement architecture — a practitioner defending or bringing a GDPR claim must understand which forum the data subject may choose, what the supervisory authority must do in response to a complaint, and what standard of review a court applies when the data subject challenges the authority's decision or sues the controller directly.

Article 77 — Right to lodge a complaint with a supervisory authority

Article 77(1) GDPR provides that without prejudice to any other administrative or non-judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work, or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes GDPR. The right to complain is procedural and does not depend on proof of damage—the data subject need only allege that processing infringes GDPR. The Court of Justice of the European Union held in Nemzeti Adatvédelmi és Információszabadság Hatóság (C-132/21, 12 January 2023, paragraph 42) that the right to lodge a complaint under Art. 77(1), the right to judicial remedy against a supervisory authority under Art. 78(1), and the right to judicial remedy against a controller or processor under Art. 79(1) may be exercised concurrently with and independently of each other. A data subject may therefore lodge a complaint with a supervisory authority under Art. 77 and simultaneously bring a civil action against the controller under Art. 79; neither remedy is a prerequisite for the other.

Article 77(2) requires that the supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78. The European Data Protection Board has clarified that this information obligation is not satisfied by a purely formal decision—the supervisory authority must provide a detailed, duly reasoned assessment capable of examination by a court seised under Art. 78(1). The CJEU emphasized in SCHUFA Holding (Discharge from remaining debts) (C-26/22 and C-64/22, 7 December 2023, paragraph 57) that when a supervisory authority finds an infringement following investigation of a complaint, the authority is required to react appropriately to remedy the shortcoming, which may include issuing a reprimand, ordering the controller to bring processing into compliance under Art. 58(2)(d), or imposing an administrative fine under Art. 58(2)(i). The authority possesses discretion as to the manner in which it remedies the infringement, but this discretion is limited by the need to ensure a consistent and high level of protection of personal data through strong enforcement.

Complaint-handling obligations and the supervisory authority's duty to act

The supervisory authority's duty to handle complaints is set out in Art. 57(1)(f) GDPR, which provides that each supervisory authority shall handle complaints lodged by a data subject and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and outcome of the investigation within a reasonable period. The CJEU held in TR v Land Hessen (C-768/21, 26 September 2024, paragraph 38) that the supervisory authority must determine which action is appropriate and necessary, taking into consideration all the circumstances of the specific case, and that its discretion is limited by the need to ensure consistent and high-level protection through strong enforcement. Recital 141 GDPR states that every data subject should have the right to lodge a complaint if the data subject considers that his or her rights are infringed, and that the complaint should be investigated and the complainant should be informed of the progress and outcome within a reasonable period.

Article 78 — Right to an effective judicial remedy against a supervisory authority

Article 78(1) GDPR provides that without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them. Article 78(2) provides that without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy where the supervisory authority which is competent pursuant to Arts. 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Art. 77. The three-month clock is a procedural deadline that triggers the data subject's right to bring a court action challenging the supervisory authority's failure to act; it is not a substantive deadline by which the authority must complete its investigation.

Scope of judicial review under Art. 78

The CJEU confirmed in SCHUFA Holding (Discharge from remaining debts) (C-26/22 and C-64/22, 7 December 2023, paragraph 58) that a decision on a complaint adopted by a supervisory authority is subject to full judicial review. The national court reviewing a supervisory authority decision under Art. 78 is not confined to verifying whether the authority has formally complied with its procedural obligations; the court must conduct an objective assessment of the substantive merits, including whether the processing at issue infringes GDPR and whether the corrective measures imposed (or not imposed) by the authority are appropriate, necessary, and proportionate. This full-review standard ensures that the data subject's fundamental right to an effective remedy under Article 47 of the Charter of Fundamental Rights is protected.

Article 79 — Right to an effective judicial remedy against a controller or processor

Article 79(1) GDPR provides that without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Art. 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation. This remedy allows a data subject to bring a civil action directly against the controller or processor in a national court without first exhausting administrative remedies or waiting for a supervisory authority decision. The CJEU held in Nemzeti Adatvédelmi és Információszabadság Hatóság (C-132/21, 12 January 2023) that the Art. 79 remedy is independent of the Art. 77 complaint procedure and may be pursued in parallel.

Article 79(2) GDPR provides that proceedings against a controller or processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers. This forum-choice rule gives the data subject a strategic advantage — she may sue in her home court rather than traveling to the controller's Member State.

Distinction between Art. 79 (judicial remedy) and Art. 82 (compensation for damage)

Article 79 is a procedural remedy that allows a data subject to obtain a court declaration that the controller or processor has infringed GDPR and, where appropriate, an injunction ordering the controller to cease the unlawful processing, comply with a data-subject-rights request, or implement corrective measures. Article 79 does not require proof of damage—the data subject need only allege that his or her rights under GDPR have been infringed. By contrast, Art. 82 is a compensatory remedy that requires the data subject to prove three cumulative conditions: (1) an infringement of GDPR, (2) material or non-material damage actually suffered, and (3) a causal link between the infringement and the damage (Österreichische Post, C-300/21, 4 May 2023, paragraph 42). The CJEU has confirmed that Art. 82 compensation is purely compensatory, not punitive, whereas an Art. 79 action may result in declaratory relief, an injunction, or an order directing the controller to comply with GDPR obligations without any showing of damage (IP v Quirin Privatbank, C-655/23, 4 September 2025, paragraphs 57 and 70).

Concurrent and independent exercise of remedies

The CJEU's ruling in Nemzeti Adatvédelmi és Információszabadság Hatóság (C-132/21, 12 January 2023, paragraph 42) establishes that the three procedural remedies—Art. 77 complaint to a supervisory authority, Art. 78 judicial remedy against the supervisory authority, and Art. 79 judicial remedy against the controller or processor—may be exercised concurrently with and independently of each other. A data subject may therefore: (a) lodge a complaint with a supervisory authority under Art. 77 and await the authority's decision; (b) sue the supervisory authority under Art. 78(2) if the authority does not handle the complaint or does not inform the data subject within three months; (c) sue the controller or processor directly under Art. 79 without first lodging a complaint or waiting for the supervisory authority to act; or (d) pursue any combination of these remedies simultaneously. The existence of an administrative complaint procedure does not suspend or preclude the data subject's right to bring a civil action under Art. 79.

Procedural safeguards and the Charter of Fundamental Rights

Recital 141 GDPR provides that every data subject should have the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under GDPR are infringed. Article 47 of the Charter guarantees the right to an effective remedy and to a fair trial. The CJEU has held that the remedies in Arts. 77, 78, and 79 GDPR must be interpreted in light of Article 47 of the Charter, which requires that judicial review be effective, that the complainant have access to the file and be informed of the reasons for the authority's decision, and that the decision be subject to a standard of review that ensures the fundamental rights at stake are protected. National procedural rules governing the exercise of these remedies must respect the principles of equivalence (GDPR remedies must not be treated less favorably than similar domestic remedies) and effectiveness (national rules must not make it impossible or excessively difficult to exercise the rights conferred by GDPR).

Practical effect: strategic choices for data subjects and controllers

For data subjects, the three-track remedy structure offers strategic flexibility. A data subject seeking a quick declaratory ruling that processing is unlawful may sue the controller directly under Art. 79 in a court in her home Member State, without waiting for a supervisory authority investigation. A data subject seeking an administrative fine against the controller may lodge a complaint under Art. 77 and trigger the supervisory authority's enforcement powers under Art. 58(2), including the power to impose fines under Art. 83. If the authority does not act within three months or issues a decision the data subject considers inadequate, the data subject may challenge the authority's decision or inaction under Art. 78 and obtain full judicial review. For controllers and processors, the three-track structure means that a single processing operation may be challenged simultaneously in multiple fora: a supervisory authority investigation triggered by an Art. 77 complaint, a civil action under Art. 79 in the data subject's home court, and a compensation claim under Art. 82. The controller must coordinate its defense across these proceedings, and the outcomes may diverge—one court may find the processing lawful while a supervisory authority in a different Member State finds it unlawful, triggering the consistency mechanism under Arts. 63–64 GDPR when cross-border processing is at issue.

Source: Regulation (EU) 2016/679 (GDPR), Articles 77, 78, 79 Source: CJEU, SCHUFA Holding (Discharge from remaining debts), C-26/22 and C-64/22, EU:C:2023:958 Source: CJEU, Nemzeti Adatvédelmi és Információszabadság Hatóság, C-132/21, EU:C:2023:2 Source: CJEU, TR v Land Hessen (Obligation to act by the data protection authority), C-768/21, EU:C:2024:785