The Chapter deals with the use of sanctioning powers in the context of EU data protection law and reflects on the thorny relationship between different typologies of sanctions (criminal and administrative) in the light of the new administrative sanctioning powers of the Data Protection Authorities. The analysis starts form short historical presentation of the EU (secondary) laws dealing with data protection and, then it looks at changes to EU primary law brought about by the Treaty of Lisbon with an explicit imperative to improve EU data protection. The core of the analysis discusses the system of remedies in the GDPR and some examples of recent sanctioning practices by the national DPAs. The analysis is followed by three more reflective sections about supervisory convergence without creating new EU institutions, the administrative enforcement fray and defence rights and the role of criminal law in EU data protection law. The chapter also offers some guidance observations about the operationalisation of the threefold system of enforcement set up by EU data protection law.