Who is responsible for enforcing the rules?

The European Union and its Member States are responsible for enforcing the GDPR.

Each country is required to set up an independent public Data Protection Authority (DPA) to make sure that the GDPR is being applied, to handle complaints lodged by individuals, and to impose fines when necessary, approve codes of conduct, and raise awareness (e.g. by running educational campaigns).

Direct complaints by individuals about companies or organisations will be enforced by the Data Protection Authorities and national courts, in consultation with the European Court of Justice where necessary.