A Data Protection Authority (DPA) is an independent public body that enforces data protection law in a given jurisdiction — what GDPR Article 51 formally calls a "supervisory authority." Each EU member state has at least one: France's CNIL, Italy's Garante, Spain's AEPD, Ireland's DPC. Germany has 17. Major non-EU regulators include the UK's ICO, California's CPPA, Australia's OAIC, and Brazil's ANPD. DPAs investigate complaints, audit organisations, issue binding decisions, and fine up to €20 million or 4% of global turnover. One catch: "DPA" also stands for Data Processing Agreement — the Article 28 contract between controller and processor.