Data Protection Commissioner: Role, Powers, and How to Comply
Learn what a data protection commissioner does, their enforcement powers, and what your website must do to comply with their requirements.
A data protection commissioner is the independent authority responsible for enforcing privacy laws and holding organizations accountable for how they handle personal data. If your website collects information from users in the European Union, the United Kingdom, or dozens of other jurisdictions with comprehensive privacy laws, a data protection commissioner has the power to investigate your practices, order changes, and impose significant fines.
This guide explains what data protection commissioners do, how their enforcement powers work, which commissioner has authority over your website, and the specific steps you need to take to stay on the right side of their requirements. This content is educational and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.
What Is a Data Protection Commissioner?
A data protection commissioner, also called a supervisory authority or data protection authority (DPA), is a public body established by law to monitor and enforce compliance with data protection legislation. The GDPR mandates in Article 51 that each EU member state establish one or more independent supervisory authorities to protect the fundamental rights of individuals with regard to the processing of their personal data.
The role serves three core functions:
- Enforcement: Investigating complaints, conducting audits, and imposing corrective measures including fines
- Guidance: Publishing interpretive guidance, approving codes of conduct, and advising on legislation
- Advocacy: Raising public awareness about data protection rights and promoting organizational accountability
Independence is a defining characteristic. Article 52 of the GDPR requires that supervisory authorities act with "complete independence" in performing their tasks. They cannot seek or take instructions from any external body, including their own governments. This independence ensures that enforcement decisions are based on law and evidence, not political considerations.
Major Data Protection Commissioners and Their Jurisdictions
Data protection commissioners exist in every EU member state, the UK, and a growing number of countries worldwide. Several are particularly relevant for website owners because of the volume of complaints they handle or the significance of the organizations they oversee.
European Data Protection Board (EDPB)
The EDPB is not a single commissioner but a coordinating body composed of the heads of all EEA supervisory authorities plus the European Data Protection Supervisor. Established under Article 68 of the GDPR, it ensures consistent application of the regulation across member states. The EDPB issues binding decisions in cross-border cases and publishes guidelines that all national authorities follow.
Ireland: Data Protection Commission (DPC)
The Irish DPC is the lead supervisory authority for many of the world's largest technology companies because their European headquarters are based in Ireland. Meta, Google, Apple, Microsoft, TikTok, and LinkedIn all fall under DPC oversight for their EU operations. The DPC has issued some of the largest GDPR fines to date, including a 1.2 billion EUR fine against Meta in May 2023 for unlawful data transfers to the United States.
France: Commission Nationale de l'Informatique et des Libertes (CNIL)
The CNIL is one of the most active enforcers in Europe. It has been particularly aggressive on cookie consent enforcement, issuing a 150 million EUR fine against Google and a 60 million EUR fine against Facebook in December 2021 for making it harder to refuse cookies than to accept them. The CNIL publishes detailed guidance on cookie compliance that many other authorities reference.
United Kingdom: Information Commissioner's Office (ICO)
Following Brexit, the UK operates under its own data protection regime (the UK GDPR and Data Protection Act 2018), with the ICO as its supervisory authority. The ICO can fine organizations up to 17.5 million GBP or 4% of annual global turnover. It is known for its practical guidance documents and its focus on children's data protection through the Age Appropriate Design Code.
Germany: Federal and state authorities
Germany has a unique structure with a Federal Commissioner for Data Protection (BfDI) plus 16 state-level data protection authorities. Each state authority has jurisdiction over private sector organizations in its territory. This fragmented structure means a company operating across German states may interact with multiple authorities.
Other notable authorities
- Netherlands: Autoriteit Persoonsgegevens (AP), which has issued significant fines and focuses on facial recognition and public sector compliance
- Spain: Agencia Espanola de Proteccion de Datos (AEPD), one of the most active in handling individual complaints
- Italy: Garante per la protezione dei dati personali, which has been active in AI regulation and ChatGPT enforcement
- Austria: Datenschutzbehorde (DSB), which issued the landmark ruling that use of Google Analytics without additional safeguards violated the GDPR
Powers of a Data Protection Commissioner
Understanding what a data protection commissioner can actually do to your organization helps you assess your compliance risk accurately. The GDPR grants supervisory authorities a broad toolkit under Articles 58 and 83.
Investigative powers (Article 58(1))
A data protection commissioner can:
- Order an organization to provide any information required for the performance of their tasks
- Carry out data protection audits
- Obtain access to an organization's premises, including data processing equipment and means
- Review certifications issued under Article 42
These powers mean a commissioner can demand your data processing records, inspect your servers, and audit your consent mechanisms. Refusing to cooperate is itself a violation.
Corrective powers (Article 58(2))
When violations are found, commissioners can:
- Issue warnings that intended processing operations are likely to infringe the GDPR
- Issue reprimands for confirmed infringements
- Order an organization to comply with a data subject's request to exercise their rights
- Order an organization to bring processing operations into compliance within a specified period
- Order the communication of a personal data breach to the affected individual
- Impose a temporary or permanent limitation on processing, including a ban
- Order the suspension of data flows to a recipient in a third country
- Impose administrative fines
The power to ban processing entirely is the most severe. It means a commissioner can effectively shut down a non-compliant data processing operation until the organization demonstrates compliance.
Administrative fines (Article 83)
GDPR fines operate on a two-tier system:
- Lower tier (up to 10 million EUR or 2% of global annual turnover): Violations related to data controllers and processors, certification bodies, and monitoring bodies
- Upper tier (up to 20 million EUR or 4% of global annual turnover): Violations of basic processing principles, data subject rights, and international transfer rules
Commissioners determine the fine amount based on factors listed in Article 83(2), including the nature and gravity of the infringement, the number of data subjects affected, actions taken to mitigate damage, degree of cooperation, and any previous infringements.
How Data Protection Commissioners Handle Complaints
If one of your website's users files a complaint, here is what typically happens. Understanding this process helps you respond appropriately and minimize exposure.
Filing and initial review
Any individual can lodge a complaint with the supervisory authority in the member state where they reside, work, or where the alleged infringement occurred (Article 77 of the GDPR). The authority conducts an initial assessment to determine whether the complaint falls within its jurisdiction and whether it has sufficient substance to warrant investigation.
Cross-border coordination
If the complaint involves cross-border processing, the one-stop-shop mechanism under Article 56 routes it to the lead supervisory authority (generally where the organization's main establishment is located). The lead authority must then cooperate with other "concerned" supervisory authorities through the consistency mechanism defined in Articles 60 through 67.
This process has been criticized for delays. The EDPB's dispute resolution mechanism under Article 65 provides a binding decision when authorities disagree, but cases can take years to resolve. The Irish DPC, which oversees many large tech companies, has faced particular scrutiny for the pace of its investigations.
Investigation and decision
The investigation may include requests for documentation, on-site inspections, and technical analysis of your systems. Organizations are entitled to be heard before any adverse decision. The commissioner then issues a decision that may include corrective measures, fines, or both.
Appeal rights
Organizations can appeal a commissioner's decision through the courts of the relevant member state. Under Article 78 of the GDPR, every natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority.
What Your Website Must Do to Satisfy a Data Protection Commissioner
Commissioners evaluate organizations against the specific requirements of the GDPR and other applicable laws. Here are the concrete obligations your website must meet.
Maintain a lawful basis for all processing
Every type of personal data you collect needs a documented legal basis under Article 6 of the GDPR. For most websites, this means consent for cookies and tracking, legitimate interest for basic analytics (with a documented balancing test), and contract performance for e-commerce transactions. Your privacy policy must disclose the legal basis for each processing purpose.
Publish a compliant privacy policy
Your privacy policy is often the first document a commissioner reviews. It must contain all disclosures required by Articles 13 and 14 of the GDPR, including:
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate Now- The identity and contact details of the data controller
- Contact details of your Data Protection Officer (if applicable)
- The purposes and legal basis for each type of processing
- Categories of recipients who receive personal data
- Details of international transfers and the safeguards in place
- Retention periods for each category of data
- All data subject rights and how to exercise them
- The right to lodge a complaint with a supervisory authority
- Whether the provision of personal data is a statutory or contractual requirement
Vague or inaccurate privacy policies are a common trigger for enforcement. The CNIL fined Clearview AI 20 million EUR in part because its privacy policy was inadequate.
Implement proper consent mechanisms
For processing that relies on consent, particularly cookies and tracking technologies, your consent mechanism must meet the GDPR standard: freely given, specific, informed, and unambiguous (Article 4(11)). In practice, this means your cookie banner must offer genuine choice (not just "accept all"), use clear language, and not use dark patterns to steer users toward consenting.
The CNIL's cookie enforcement actions have established clear expectations. Refusing cookies must be as easy as accepting them. Pre-checked boxes are invalid. Continuing to browse does not constitute consent.
Respond to data subject requests
Individuals have the right to access their data (Article 15), correct it (Article 16), delete it (Article 17), restrict its processing (Article 18), receive it in a portable format (Article 20), and object to processing (Article 21). You must respond within one month, extendable by two additional months for complex requests.
Failing to respond to data subject requests is one of the most common reasons individuals file complaints with commissioners. Establish a clear process for receiving, verifying, and fulfilling these requests.
Report breaches promptly
If a personal data breach occurs that poses a risk to individuals' rights and freedoms, you must notify the relevant supervisory authority within 72 hours under Article 33. If the breach poses a high risk to individuals, you must also notify the affected individuals directly under Article 34. Maintain a breach register documenting all breaches, regardless of whether they meet the notification threshold.
Keep records of processing activities
Article 30 of the GDPR requires controllers to maintain records of processing activities. These records must include the purposes of processing, categories of data subjects and personal data, categories of recipients, international transfers, retention periods, and a description of security measures. Commissioners routinely request these records during investigations.
How to Find Your Relevant Data Protection Commissioner
Identifying which data protection commissioner has jurisdiction over your website is essential for knowing where to direct breach notifications, where complaints will be filed, and whose guidance to follow.
If you have an EU establishment
Your lead supervisory authority is in the member state where your main establishment is located (Article 56). Your main establishment is where your central administration is in the EU, or where decisions about data processing purposes and means are made.
If you have no EU establishment
If your organization has no presence in the EU but offers goods or services to EU individuals or monitors their behavior, you should appoint a representative in the EU under Article 27 of the GDPR. Each supervisory authority in a member state where your data subjects are located may exercise its powers regarding your processing.
Practical tip for small website owners
If you operate a website that serves EU users but you are based outside the EU, focus on the supervisory authorities in the countries where most of your users are located. Tools like TermsBox's compliance scanner can help identify where your visitors are coming from and which jurisdictions' requirements apply to your specific data collection practices.
You can find contact details for all EEA data protection authorities through the EDPB's website, which maintains a directory of all supervisory authorities with links to their complaint forms, guidance documents, and breach notification portals.
Preparing for a Data Protection Commissioner Investigation
Most website owners will never face a formal investigation, but being prepared protects you if a complaint or breach triggers one.
Documentation is your best defense
Commissioners evaluate compliance based on evidence. Maintain documentation of:
- Your data processing records (Article 30 records)
- Consent records showing when and how consent was obtained
- Data Protection Impact Assessments for high-risk processing
- Data Processing Agreements with all processors
- Your breach response plan and breach register
- Evidence of staff training on data protection
Conduct regular compliance reviews
Do not wait for a complaint to find out your cookie banner is non-compliant or your privacy policy is outdated. Regular audits of your website's data collection, consent mechanisms, and privacy documentation help you catch issues before a commissioner does. Automated scanning tools that monitor your website for changes in cookies and trackers provide continuous oversight without manual effort.
Cooperate fully
Article 83(2)(f) lists "the degree of cooperation with the supervisory authority" as a factor in determining fines. Organizations that cooperate, respond promptly to information requests, and take proactive corrective action receive materially better outcomes than those that are evasive or slow to respond.
Know your response timeline
When a commissioner contacts your organization, you will typically receive a formal letter or email requesting specific information within a defined timeframe. Respond within that timeframe. If you need more time, request an extension with a clear explanation. Missing deadlines signals to the commissioner that compliance is not a priority for your organization.
Frequently Asked Questions
What does a data protection commissioner do?
A data protection commissioner is an independent public authority responsible for enforcing privacy and data protection laws within their jurisdiction. Their duties include investigating complaints from individuals, conducting audits and inspections of organizations, issuing fines and enforcement notices for violations, publishing guidance on compliance, and approving codes of conduct and certification mechanisms. Under Article 57 of the GDPR, each EU member state must establish at least one supervisory authority with these powers.
Can a data protection commissioner fine my business?
Yes. Under Article 83 of the GDPR, supervisory authorities can impose administrative fines of up to 20 million EUR or 4% of annual global turnover, whichever is higher, for the most serious violations. Lower-tier fines of up to 10 million EUR or 2% of turnover apply to less severe infringements. The specific fine depends on factors including the nature and gravity of the violation, the number of people affected, and whether the organization cooperated with the investigation.
Which data protection commissioner has jurisdiction over my website?
Under the GDPR's one-stop-shop mechanism (Article 56), your lead supervisory authority is generally the one in the EU member state where your main establishment is located. If you have no establishment in the EU but process data of EU residents, each supervisory authority in a member state where your users are located may have jurisdiction. For practical purposes, the Irish Data Protection Commission oversees many U.S. tech companies because their EU headquarters are in Ireland.
How do I report a data breach to a data protection commissioner?
Under Article 33 of the GDPR, you must notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. The notification must include the nature of the breach, categories and approximate number of individuals affected, likely consequences, and the measures taken or proposed to address it. Most supervisory authorities provide an online breach notification form on their website.