A supervisory authority inspection is one of those events that organisations tend to treat as a distant risk — until it arrives. In reality, data protection authorities across Europe are increasingly active, coordinated and well-resourced. The cumulative total of GDPR fines since 2018 reached €7.1 billion by January 2026 — and enforcement is not limited to large technology companies. Authorities inspect organisations of all sizes, across all sectors.

This article explains what supervisory authorities can do, what they check during an inspection, how enforcement approaches differ across key European jurisdictions, and what every organisation needs to have in order before an inspection begins.

What is a supervisory authority under GDPR

Every EU and EEA member state has a national data protection authority (DPA) — an independent public body responsible for monitoring compliance with GDPR, handling complaints from individuals and enforcing the regulation. The UK has the Information Commissioner’s Office (ICO), which enforces the UK GDPR following Brexit.

Under Article 58 GDPR, supervisory authorities can conduct audits, request information and documentation from organisations, obtain access to premises and processing systems, and impose corrective measures to address non-compliance.

At the European level, the European Data Protection Board (EDPB) coordinates enforcement across member states and issues binding guidance to ensure consistent application of GDPR across borders.

What supervisory authorities can do — their powers under Article 58

The powers available to supervisory authorities fall into three categories.

Investigative powers — conducting audits, requesting information and documentation, obtaining access to premises and equipment, reviewing certifications and codes of conduct.

Corrective powers — issuing warnings and reprimands, ordering compliance, imposing temporary or permanent processing bans, ordering erasure of data, suspending data flows to third countries.

Advisory powers — issuing opinions, approving codes of conduct and certifications, providing prior consultation on high-risk processing.

The most significant corrective power is the imposition of administrative fines — up to €20 million or 4% of global annual turnover for the most serious infringements, whichever is higher.

How inspections are triggered

Supervisory authority inspections are initiated in several ways.

Complaint-driven — the most common trigger. An individual files a complaint with their national DPA alleging a violation of their data subject rights or unlawful processing. The DPA is obliged to investigate.

Sector-based planned inspections — many authorities publish annual inspection plans targeting specific sectors. Organisations operating in those sectors should treat the plan as advance notice.

Data breach notification — notifying a supervisory authority of a personal data breach frequently triggers follow-up investigation into the circumstances, the security measures in place, and whether the breach was preventable.

Media or regulatory intelligence — high-profile incidents, whistleblower reports or cross-border enforcement actions can trigger an investigation without a formal complaint.

What authorities check during a GDPR inspection

Regardless of jurisdiction, inspections typically cover the same core areas.

Record of processing activities — the completeness, accuracy and currency of the organisation’s record under Article 30 GDPR. This is frequently the first document requested. A record that has not been updated since initial GDPR implementation is a red flag.

Legal bases for processing — whether the organisation has identified an appropriate legal basis for each processing activity and can demonstrate this. Consent-based processing is scrutinised particularly closely — whether consent was freely given, specific and documented.

Data subject rights handling — whether the organisation has a process for handling access, erasure, rectification and objection requests, whether deadlines are being met, and whether responses are complete.

Data processing agreements — whether agreements with all processors are in place and meet the requirements of Article 28 GDPR. Missing DPAs with cloud providers, payroll processors and marketing platforms are a common finding.

Security measures — the technical and organisational measures in place under Article 32, proportionate to the risk of the processing activities.

Data breach procedures — whether a documented incident response process exists, how breaches are assessed and whether the 72-hour notification obligation is understood.

Risk assessment and DPIA — whether risk assessments are conducted and updated, and whether DPIAs have been carried out for high-risk processing before it commenced.

How enforcement differs across key European jurisdictions

While the GDPR creates a unified legal framework, enforcement culture and priorities differ significantly between national authorities.

UK — Information Commissioner’s Office (ICO)

ICO applies a proportionate, risk-based approach — focusing on cases with the greatest potential for harm rather than penalising every violation. In 2025, the number of enforcement actions fell by nearly half compared to 2024 — but when ICO acted, it acted decisively: 15 fines collectively brought in £21.7 million, eight times the entire 2024 total.

The priority in 2025 was data security. ICO fined Capita £14 million for inadequate technical security measures following a cyberattack, and LastPass £1.2 million for similar failures. ICO is clearly shifting from penalising marketing violations (PECR) toward serious UK GDPR breaches involving security and data protection.

The Data (Use and Access) Act 2025 expanded ICO’s powers — it can now require organisations to commission an external audit at their own cost as part of an investigation.

France — CNIL

CNIL is one of the most aggressive enforcement authorities in Europe. In 2025, the average amount of CNIL sanctions in ordinary procedure reached approximately €44 million — compared to €4 million in 2024. On average, fines increased tenfold in a single year.

Cookie consent and behavioural advertising are the primary enforcement priorities. On 1 September 2025, CNIL fined SHEIN €150 million for installing cookies before obtaining user consent and for a “Reject all” option that did not reliably function. On the same day, CNIL fined Google €325 million for displaying promotional ads in Gmail without prior consent.

CNIL conducts both announced and unannounced inspections, including remote audits of websites. Cookie banners are a permanent priority enforcement area.

Germany — BfDI and Länder authorities

Germany has a decentralised structure — 16 state-level data protection authorities (one per Bundesland) plus the federal BfDI, which covers federal public bodies and certain regulated sectors. Enforcement is technically rigorous, with particular focus on IT security, data transfers and organisational compliance requirements.

The DSK — the conference of all German data protection authorities — publishes coordinated guidance shaping enforcement priorities across all 16 states. Organisations operating in Germany should monitor DSK guidance as an indicator of upcoming enforcement focus.

Netherlands — Autoriteit Persoonsgegevens (AP)

AP takes a strategic approach — selecting cases with significant systemic or precedent-setting implications. In September 2024, AP fined Clearview AI €30.5 million for illegally scraping facial images from the internet without consent, and became the first European authority to formally announce consideration of personal liability for the company’s management.

AP is a pioneer in enforcement of cross-border data transfer requirements and in establishing personal accountability of executives for GDPR violations.

Spain — Agencia Española de Protección de Datos (AEPD)

AEPD holds the EU record for the highest number of fines issued. By September 2025, Spain had issued 1,021 fines totalling approximately €120.75 million — the largest number of penalties of any EU member state. Individual fine amounts are often lower than in other countries — AEPD operates on a broad enforcement reach, covering organisations of all sizes.

Main areas: unlawful data transfers, inadequate consent, cookie violations and data security failures. AEPD is known for a fast decision-making process and willingness to pursue small and medium-sized organisations.

Italy — Garante per la protezione dei dati personali

Garante is particularly active in the area of new technologies and artificial intelligence — it was the first European DPA to temporarily ban ChatGPT in 2023. In December 2024, Garante fined OpenAI €15 million for lacking a lawful basis to process personal data for ChatGPT training and for insufficient transparency. Earlier in 2024, Garante fined Enel Energia €79.1 million for unlawfully obtaining customer data from illegal lists.

Garante’s inspection priorities include transparency, data subject rights and employee data processing — particularly in the context of algorithmic management.

Austria — Datenschutzbehörde (DSB)

DSB operates with significantly fewer resources than most European counterparts. In 2024, DSB processed 3,813 complaints but completed only 214 proceedings — of which 62 resulted in fines totalling approximately €1.7 million. Most proceedings exceed the statutory six-month deadline, with many taking years to resolve.

Despite resource constraints, DSB has established rigorous standards in specific areas. Its decisions on Google Analytics established that Austrian enforcement of data transfer rules is strict — a risk-based argument that surveillance by foreign intelligence services is merely unlikely does not satisfy DSB’s standard. DSB has also ruled that a managing director cannot simultaneously serve as Data Protection Officer, resulting in fines for organisations that maintained this arrangement.

In 2025, DSB announced its audit focus would target regional police directorates — following a 2024 audit focus on the right of access.

How to prepare for a GDPR inspection

The following documentation should be maintained and immediately accessible — not reconstructed at short notice when an inspection is announced.

Core documentation: a current record of processing activities covering all processing operations; data processing agreements with all processors; risk assessments for processing activities and DPIAs for high-risk processing; an access control register showing who has access to personal data and on what basis; a data breach register and incident response procedure; a data retention policy with defined and enforced periods.

Operational evidence: logs of data subject requests received and how they were handled; evidence of staff training on data protection; records of consent where consent is the legal basis; evidence of cookie consent management and banner configuration.

The most common inspection findings across Europe

Despite differences in enforcement style, the same compliance gaps appear across jurisdictions.

Outdated or incomplete records of processing activities — the most frequently identified documentation failure across all European DPAs.

Missing data processing agreements — particularly with SaaS providers, cloud infrastructure and marketing platforms.

Non-compliant cookie banners — a priority enforcement area for CNIL, ICO and Dutch AP alike. Banners that make declining harder than accepting do not meet consent requirements.

Inadequate data breach procedures — organisations that cannot demonstrate a functioning 72-hour notification process.

Failure to respond to data subject requests within the one-month deadline — frequently identified in complaint-driven investigations.

How iGDPR helps with inspection readiness

iGDPR maintains all core GDPR documentation in a single, structured system — record of processing activities, access management, data processing agreements, risk assessments and data subject request handling — all linked and always current. During an inspection, instead of searching through files and emails, you have a complete, organised record available immediately.

Summary

GDPR supervisory authority inspections are not a theoretical risk — they are an operational reality for organisations across Europe. The legal framework is consistent across all member states, but enforcement culture, priorities and intensity differ significantly between jurisdictions. What is consistent is what authorities look for: current documentation, functioning processes and the ability to demonstrate compliance in practice, not just on paper.

Key principles: inspections can be triggered by complaints, sector plans, breach notifications or regulatory intelligence; authorities check documentation but also verify that processes function in practice; the most common findings are identical across Europe — outdated records, missing DPAs, non-compliant cookie banners; inspection readiness is a permanent operational state, not a preparation exercise.

Frequently asked questions about GDPR supervisory authority inspections