EDPB's 2026 Coordinated Enforcement Framework: GDPR Transparency Obligations Under Scrutiny

On March 19, 2026, the European Data Protection Board announced its focus for the 2026 Coordinated Enforcement Framework (CEF). After addressing the Data Protection Officer role in 2024 and the right to erasure in 2025, the EDPB has turned its attention to perhaps the most visible GDPR obligation: transparency in the processing of personal data. This shift marks a significant moment for organizations across Europe. The framework will evaluate how controllers comply with Articles 12, 13, and 14 of the GDPR, which establish the rules governing transparent communication to data subjects.

Twenty-five Data Protection Authorities across Europe will participate in this coordinated enforcement action. Their collective assessment will result in a consolidated report during the second half of 2026. The timing is deliberate. As organizations approach the seventh anniversary of GDPR's entry into force, enforcement has sharpened. Investigations may follow the findings, and penalties for non-compliance are likely to increase.

Understanding the Three Articles Under Review

Article 12 establishes the foundation for transparent information and communication. It requires that information provided to data subjects must be concise, transparent, intelligible, and easily accessible. It uses clear and plain language. The article also dictates how and when information should be provided. Controllers must respect these communication standards across all interactions with data subjects.

Article 13 applies when personal data is collected directly from the data subject. The article requires controllers to provide specific information at the time of collection. This includes the controller's identity, the purposes of processing, legal bases, legitimate interests, recipients, retention periods, rights of the data subject, and information about automated decision-making. In practice, this is where most privacy notices appear. Website privacy policies, app consent screens, and registration forms all fall within Article 13's scope.

Article 14 covers scenarios where data is collected from sources other than the data subject. A financial institution receiving customer data from a credit bureau, or a retailer accessing supplier information through a third party, both trigger Article 14 obligations. The information requirements are similar to Article 13 but with important differences. Article 14 addresses timing and exceptions, recognizing that contacting data subjects about data not provided by them involves different considerations.

Why Transparency Matters Now

Transparency stands as the cornerstone of GDPR. The regulation is built on the principle that individuals must understand what happens to their personal data. They need clear information to exercise other rights, such as access, rectification, or erasure. Without proper transparency, data subjects cannot make informed decisions about whether to interact with a controller.

Yet transparency remains one of the most commonly neglected obligations. Cookie banners that obscure actual choices. Privacy notices written in incomprehensible legal language. Information buried in hyperlinked documents. Retention periods listed as "as long as necessary" without specificity. DPAs have documented widespread failures. The CEF 2026 will formalize this scrutiny across Europe.

Organizations that have deferred transparency improvements should act now. The DPAs will assess whether information meets GDPR standards. They will examine whether language is truly plain, whether timing is appropriate, and whether all required elements are present. The evaluation will not be limited to large technology companies. Controllers of all sizes will face assessment.

Enforcement Outcomes and Penalties

Historical CEF actions have led to tangible consequences. The 2024 CEF on DPO designation resulted in investigations. The 2025 CEF on right to erasure generated compliance findings. Organizations identified as non-compliant faced inquiries and, in some cases, enforcement action.

GDPR penalties reach up to 20 million euros or 4 percent of global annual turnover, whichever is higher, for failures to comply with basic obligations including transparency. While enforcement may follow a pattern, with warnings preceding formal penalties, organizations should not assume leniency. DPAs are increasingly willing to use penalties. The 2026 framework creates a baseline assessment. Non-compliance identified in the CEF may trigger DPA attention that continues beyond the formal campaign period.

Third Country Transfers and Enhanced Scrutiny

Some DPAs have already signaled stricter positions on transparency related to third country data transfers. They require controllers to explicitly identify each third country to which data transfers occur. Generic references to "countries where processing is necessary" or broad categories of recipients are insufficient. This position reflects Article 13(1)(e), which requires naming recipients or categories of recipients.

As enforcement tightens, organizations should review their privacy notices. Any mention of data transfers must specify destinations. Where Adequacy Decisions or Standard Contractual Clauses apply, this context should be explained to data subjects. Supplementary safeguards must be disclosed. For organizations operating across multiple jurisdictions, this may require region-specific privacy notices rather than a single global version.

Practical Compliance Steps

Organizations should conduct a transparency audit before the CEF assessment period concludes. First, review all privacy notices. Assess whether language qualifies as "plain." Replace jargon with simple explanations. Lawyers frequently describe retention policies as "necessary for legal compliance" without explaining what that means. Instead, state specific periods: "two years for service delivery, ten years for tax records."

Second, ensure all required elements appear in Article 13 notices. Create a checklist: controller identity, purposes, legal bases, legitimate interests (where applicable), recipients by category, retention periods, rights, and decision-making information. Many organizations omit information about automated decision-making because they believe it does not apply. But processing data through filters, scoring systems, or algorithmic sorting may constitute automated decision-making requiring disclosure.

Third, audit Article 14 procedures. If data is collected from third parties, verify that information reaches data subjects within the required timeline. GDPR permits delays only where providing information would prove impossible or result in disproportionate effort. These exceptions are narrow.

Fourth, implement a documentation system. GDPR requires controllers to demonstrate compliance. Maintain records of when privacy notices were updated, what changes were made, and the rationale. This documentation supports accountability and demonstrates good faith effort to comply.

Fifth, address accessibility. GDPR requires information be "easily accessible." This extends beyond legal accessibility. Ensure privacy notices load quickly, display properly on mobile devices, and use fonts and colors that meet accessibility standards.

The Broader Enforcement Landscape

The CEF 2026 occurs in a context of increased GDPR enforcement globally. The European Data Protection Board has issued guidelines on transparency. DPAs in Germany, France, Spain, and the Netherlands have levied significant fines for transparency failures. The trend is clear: DPAs view transparency as foundational. Organizations that fall short can expect scrutiny.

Beyond Europe, the GDPR continues to influence global privacy standards. Jurisdictions from the United Kingdom to Brazil have adopted similar transparency requirements. Investments in GDPR compliance generate returns across multiple regulatory regimes.

Moving Forward

The EDPB's 2026 focus on transparency is not surprising. It is fundamental. Yet the timing suggests acceleration. DPAs are shifting from awareness-building to active enforcement. Organizations that have maintained outdated privacy notices should prioritize updates. Those processing data in multiple countries should consider localized approaches to meet specific regulatory positions.

The consolidated report expected in the second half of 2026 will provide guidance on compliance expectations. Until then, controllers should apply the GDPR's plain language requirement literally. Information should be written for a data subject unfamiliar with data processing. Technical terms should be explained. Rights should be clearly stated. Recipients should be identified specifically.

Transparency is not a compliance burden but a core operational requirement. Organizations that treat it as such find themselves better positioned to respond to enforcement scrutiny and to maintain trust with their data subjects.