Glossary
Data protection authority
A data protection authority (DPA) is the public body in each EU country that enforces privacy law. It investigates complaints, fines companies, and publishes guidance, including on AI chatbots. Italy has the Garante, France the CNIL, Ireland the DPC.
Privacy law would be just words on paper without someone to enforce it. That’s the job of data protection authorities: independent public bodies, one per EU country, that watch over the GDPR. They handle complaints from ordinary people (filing one is free), investigate companies, issue fines, and publish plain-language guidance. At EU level they coordinate through the European Data Protection Board (EDPB).
They’ve been anything but shy about AI. Italy’s Garante temporarily blocked ChatGPT in 2023 over privacy concerns, the first authority in the world to do so, and authorities across Europe have since questioned how chatbots collect data and train models. Many of the privacy controls you now see in chatbot settings exist because regulators pushed.
For you the takeaway is practical: if a company mishandles your data and ignores your requests, your national authority is where you turn, and no lawyer is needed to file a complaint. And their websites are reliable, jargon-light sources when you want to know what’s actually required. Meanwhile, prevention beats complaints: our paste checker helps you avoid oversharing in the first place.
Where you’ll meet this
- Privacy policies, which must name the authority you can complain to
- News about AI fines and investigations, usually led by a national DPA
- The EDPB website, which lists every national authority in the EU