Which authority should I report a data breach to?

To the supervisory authority in the country where your main establishment is located. For the Netherlands that is the Autoriteit Persoonsgegevens, for Belgium the GBA. You must report a notifiable data breach within 72 hours.

Can a customer in another EU country file a complaint about me?

Yes. Data subjects may file a complaint with the authority in their own country, regardless of where your business is based. That authority then cooperates with the authority in your country.

Do I deal with multiple authorities if I operate in several countries?

If you have establishments in multiple EU countries, you have a 'lead authority' based on your main establishment. That authority coordinates with the others. If you only operate from one country but have customers in other countries, your own national authority is the primary point of contact.

GDPR Authority per Country | National Data Protection Supervisors

Every EU country has its own supervisory authority for the GDPR. This article gives an overview of the main national authorities and explains when you deal with which one.

Every member state has its own supervisory authority

The GDPR is a European regulation, but enforcement happens at national level. Every EU country has an independent supervisory authority (Data Protection Authority, or DPA) responsible for overseeing compliance.

The Benelux

Netherlands - Autoriteit Persoonsgegevens (AP)

Website: autoriteitpersoonsgegevens.nl
Data breach reports: via the reporting portal on the website
Complaints: via the complaint form
The AP is active in enforcement and regularly imposes fines, including on SMEs

Belgium - Gegevensbeschermingsautoriteit (GBA)

Website: gegevensbeschermingsautoriteit.be
Data breach reports: via the reporting form on the website
Complaints: via the disputes chamber
The GBA is known for a constructive but strict approach

Luxembourg - Commission Nationale pour la Protection des Donnees (CNPD)

Website: cnpd.public.lu
Data breach reports: via the online reporting form

Other key EU authorities

Germany

Germany has a unique structure with both a federal supervisor (BfDI) and supervisory authorities per state. The competent authority depends on where your business is located.

France - CNIL

The Commission Nationale de l’Informatique et des Libertes is one of the most active supervisory authorities in Europe and has imposed the highest fines.

Ireland - Data Protection Commission (DPC)

Relevant because many large tech companies (Google, Meta, Apple) have their European headquarters in Ireland.

Which authority is relevant for you?

The rule of thumb: the authority in the country where your main establishment is located is your primary point of contact. That is also the authority you report data breaches to.

If you only operate in the Netherlands: the Autoriteit Persoonsgegevens. If you only operate in Belgium: the GBA. If you operate in multiple countries: the authority where your main establishment is located is your lead authority.

Cooperation between authorities

National supervisory authorities cooperate through the European Data Protection Board (EDPB). For cross-border cases, the lead authority coordinates with the other involved authorities. In practice, as a business owner you mainly deal with your own national authority.

auto_awesome Be prepared for the regulator

GDPRWise helps you have all documents ready that the supervisory authority may request: record of processing activities, privacy policy, and more.

Start your free scan

Who Is My GDPR Authority at National Level?