HomeKnowledge Hub › Enforcement & Fines Trackers

Knowledge Hub

Enforcement & fines trackers

The trackers and registers privacy professionals use to follow how UK GDPR and EU GDPR are actually enforced — cross-border databases, official regulator registers of decisions and penalties, and the leading annual fines surveys. Curated for authority over volume; each entry links to the authoritative source.

Compiled & maintained by VulaPri Limited, a UK privacy consultancy · Last verified 5 July 2026

Looking for a specific data protection authority rather than a fines tracker? The national regulators below each have a dedicated profile in our Regulators & Authorities directory — this page lists their enforcement registers, not the authorities themselves, to avoid duplication.

United Kingdom & cross-border registers

  • ICO Enforcement action

    United Kingdom · Information Commissioner's Office · Official register

    What it is: The ICO's own filterable register of UK enforcement action — monetary penalties, enforcement notices, reprimands, undertakings and prosecutions taken under UK GDPR, the Data Protection Act 2018 and PECR.

    Why it is useful: The authoritative UK starting point for what the regulator has actually done, filterable by action type, sector and date. Free.

    Open the ICO enforcement register →

  • CMS GDPR Enforcement Tracker

    EU/EEA + UK · CMS (law firm) · Searchable database

    What it is: A free searchable database of publicly known GDPR fines across the EU, EEA and UK, filterable by country, sector and the GDPR article breached. The firm also publishes a periodic Enforcement Tracker Report drawing on the dataset.

    Why it is useful: The most widely cited aggregate view of GDPR fines in one place — helpful for benchmarking and spotting enforcement trends by article and sector. Coverage depends on fines being made public, so treat totals as indicative rather than complete. Free.

    Open the CMS Enforcement Tracker →

  • EDPB — Register of Article 60 final one-stop-shop decisions

    EU/EEA · European Data Protection Board · Official register

    What it is: The EDPB's official register of final decisions issued under the GDPR's one-stop-shop cooperation mechanism (Article 60), where a lead authority and concerned authorities act together on cross-border cases. The Board also maintains a register of its Article 65 binding decisions.

    Why it is useful: The authoritative source for cross-border outcomes — the cases that set the tone for how large, multinational processing is enforced across Europe. Free.

    Open the EDPB Article 60 register →

Annual fines surveys

  • DLA Piper GDPR Fines and Data Breach Survey

    EU/EEA + UK · DLA Piper (law firm) · Annual report

    What it is: An annual survey, published each January, aggregating GDPR fines and personal-data-breach notification statistics across roughly 31 European countries into a single report.

    Why it is useful: A concise year-on-year read on fine totals and breach-notification volumes, widely quoted for headline trends. The link points at the latest edition; the firm publishes a new one annually, so check for the current-year report. Free.

    Read the latest DLA Piper survey →

NGO & community trackers

  • GDPRhub

    EU/EEA + UK · Operated by noyb · Community wiki

    What it is: A free, community-maintained wiki of data protection decisions from courts and authorities across Europe, with English-language summaries. It is operated by the NGO noyb.

    Why it is useful: A fast way to find English summaries of decisions that are otherwise only published in the national language — useful for orientation, but check each entry against the underlying official decision before relying on it, as it is community-edited. Free.

    Open GDPRhub →

  • noyb (None Of Your Business)

    Europe · European Center for Digital Rights · NGO case updates

    What it is: A strategic-enforcement NGO that brings and publicises GDPR complaints and cases, with updates indexed by authority and by company. It also operates GDPRhub.

    Why it is useful: A useful window on cases that are being actively pushed through the system. Note that noyb is a campaigning litigant with a point of view, not a neutral register — read its case updates alongside the official decision. Free.

    Open noyb →

National DPA registers

These are the official decision and sanction registers of individual data protection authorities. For a full profile of each regulator — remit, contacts and guidance — see the Regulators & Authorities directory. We list a curated set of the highest-volume registers here rather than duplicating every authority.

  • AEPD Resoluciones

    Spain · Agencia Española de Protección de Datos · Official register · Spanish

    What it is: The AEPD's official register of resolutions, including its sanctioning decisions. Spain publishes among the highest volumes of GDPR decisions of any EU authority.

    Why it is useful: A large, frequently updated body of enforcement practice — valuable for seeing how one of Europe's most active regulators applies the GDPR in detail. Primarily Spanish-language. Free.

    Open the AEPD resolutions register →

  • CNIL Sanctions

    France · Commission Nationale de l'Informatique et des Libertés · Official register

    What it is: The official list of sanctions imposed by the CNIL's restricted committee (formation restreinte), available in an English-language version.

    Why it is useful: A reliable record of French enforcement — the CNIL is an influential authority whose reasoning is often followed elsewhere. Free.

    Open the CNIL sanctions list →

  • DPC Ireland — Decisions

    Ireland · Data Protection Commission · Official decisions

    What it is: Official decisions arising from inquiries by Ireland's Data Protection Commission, the lead supervisory authority for many of the largest technology companies established in the EU.

    Why it is useful: Because of Ireland's role as lead authority for much of Big Tech, its decisions carry outsized significance for cross-border enforcement. Free.

    Open the DPC decisions page →

  • Garante — Provvedimenti

    Italy · Garante per la protezione dei dati personali · Official register · Italian

    What it is: The official register of measures and sanctions (provvedimenti) issued by Italy's data protection authority, with partial English coverage.

    Why it is useful: A frequently updated record from another highly active regulator; useful for tracking Italian enforcement positions, including on emerging technologies. Primarily Italian-language. Free.

    Open the Garante measures register →

This directory is curated for authority over volume and expanding. Think a tracker or register is missing, or spot a link to fix? Flag it for the curation team — curated lists take tip-offs, not self-listings. General reference only, not legal advice.