Enforcement & fines trackers
The trackers and registers privacy professionals use to follow how UK GDPR and EU GDPR are actually enforced — cross-border databases, official regulator registers of decisions and penalties, and the leading annual fines surveys. Curated for authority over volume; each entry links to the authoritative source.
United Kingdom & cross-border registers
-
ICO Enforcement action
United Kingdom · Information Commissioner's Office · Official registerWhat it is: The ICO's own filterable register of UK enforcement action — monetary penalties, enforcement notices, reprimands, undertakings and prosecutions taken under UK GDPR, the Data Protection Act 2018 and PECR.
Why it is useful: The authoritative UK starting point for what the regulator has actually done, filterable by action type, sector and date. Free.
-
CMS GDPR Enforcement Tracker
EU/EEA + UK · CMS (law firm) · Searchable databaseWhat it is: A free searchable database of publicly known GDPR fines across the EU, EEA and UK, filterable by country, sector and the GDPR article breached. The firm also publishes a periodic Enforcement Tracker Report drawing on the dataset.
Why it is useful: The most widely cited aggregate view of GDPR fines in one place — helpful for benchmarking and spotting enforcement trends by article and sector. Coverage depends on fines being made public, so treat totals as indicative rather than complete. Free.
-
EDPB — Register of Article 60 final one-stop-shop decisions
EU/EEA · European Data Protection Board · Official registerWhat it is: The EDPB's official register of final decisions issued under the GDPR's one-stop-shop cooperation mechanism (Article 60), where a lead authority and concerned authorities act together on cross-border cases. The Board also maintains a register of its Article 65 binding decisions.
Why it is useful: The authoritative source for cross-border outcomes — the cases that set the tone for how large, multinational processing is enforced across Europe. Free.
Annual fines surveys
-
DLA Piper GDPR Fines and Data Breach Survey
EU/EEA + UK · DLA Piper (law firm) · Annual reportWhat it is: An annual survey, published each January, aggregating GDPR fines and personal-data-breach notification statistics across roughly 31 European countries into a single report.
Why it is useful: A concise year-on-year read on fine totals and breach-notification volumes, widely quoted for headline trends. The link points at the latest edition; the firm publishes a new one annually, so check for the current-year report. Free.
NGO & community trackers
-
GDPRhub
EU/EEA + UK · Operated by noyb · Community wikiWhat it is: A free, community-maintained wiki of data protection decisions from courts and authorities across Europe, with English-language summaries. It is operated by the NGO noyb.
Why it is useful: A fast way to find English summaries of decisions that are otherwise only published in the national language — useful for orientation, but check each entry against the underlying official decision before relying on it, as it is community-edited. Free.
-
noyb (None Of Your Business)
Europe · European Center for Digital Rights · NGO case updatesWhat it is: A strategic-enforcement NGO that brings and publicises GDPR complaints and cases, with updates indexed by authority and by company. It also operates GDPRhub.
Why it is useful: A useful window on cases that are being actively pushed through the system. Note that noyb is a campaigning litigant with a point of view, not a neutral register — read its case updates alongside the official decision. Free.
National DPA registers
These are the official decision and sanction registers of individual data protection authorities. For a full profile of each regulator — remit, contacts and guidance — see the Regulators & Authorities directory. We list a curated set of the highest-volume registers here rather than duplicating every authority.
-
AEPD Resoluciones
Spain · Agencia Española de Protección de Datos · Official register · SpanishWhat it is: The AEPD's official register of resolutions, including its sanctioning decisions. Spain publishes among the highest volumes of GDPR decisions of any EU authority.
Why it is useful: A large, frequently updated body of enforcement practice — valuable for seeing how one of Europe's most active regulators applies the GDPR in detail. Primarily Spanish-language. Free.
-
CNIL Sanctions
France · Commission Nationale de l'Informatique et des Libertés · Official registerWhat it is: The official list of sanctions imposed by the CNIL's restricted committee (formation restreinte), available in an English-language version.
Why it is useful: A reliable record of French enforcement — the CNIL is an influential authority whose reasoning is often followed elsewhere. Free.
-
DPC Ireland — Decisions
Ireland · Data Protection Commission · Official decisionsWhat it is: Official decisions arising from inquiries by Ireland's Data Protection Commission, the lead supervisory authority for many of the largest technology companies established in the EU.
Why it is useful: Because of Ireland's role as lead authority for much of Big Tech, its decisions carry outsized significance for cross-border enforcement. Free.
-
Garante — Provvedimenti
Italy · Garante per la protezione dei dati personali · Official register · ItalianWhat it is: The official register of measures and sanctions (provvedimenti) issued by Italy's data protection authority, with partial English coverage.
Why it is useful: A frequently updated record from another highly active regulator; useful for tracking Italian enforcement positions, including on emerging technologies. Primarily Italian-language. Free.
Reach privacy & data protection professionals researching enforcement trends and fines. Sponsorship enquiries.
