Personal data protection enforcement in the European Union (EU) has evolved significantly since the adoption of Directive 95/46/EC.1 Despite the Directive’s objective to harmonize data protection regulation in the EU, its implementation resulted in differing enforcement practices of its Member States. The Directive called for the adoption of suitable measures to ensure its full implementation but did not specify the framework to be followed in practice. This led to the adoption of different sanction mechanisms throughout the EU. Studies provided by such institutions as the European Union Agency for Fundamental Rights,2 or in academic writing,3 summarized the state of personal data protection in the EU during the Directive’s application and identified its deficits. Papers analysing individual sanctions applicable under this Directive,4 highlighted its toothlessness,5 elucidated deficits regarding the imposition of administrative fines by national authorities,6 and discussed possible solutions considering the potential of competition law to influence the sanctioning of data protection infringements in the future legislation.