The European Data Protection Board announced that its 2026 Coordinated Enforcement Framework (CEF) action would focus on transparency and information obligations under the General Data Protection Regulation. In early 2026, 25 data protection authorities across the European Economic Area and partner jurisdictions formally launched simultaneous investigations examining how organizations communicate their data collection, use, and sharing practices to individuals.

This is not a warning. It is an active enforcement initiative that is already underway.

The CEF is the EDPBโ€™s mechanism for coordinating enforcement priorities across multiple national supervisory authorities. Since 2022, CEF actions have examined cookie banner compliance (2022), the right of access (2023), designation of data protection officers (2024), and exercise of the right to erasure (2025). Each CEF action has produced enforcement outcomes โ€” including formal investigations, orders to change practices, and fines โ€” at the national level.

The 2026 CEF action on transparency is the broadest yet in its potential scope. Transparency is not an isolated requirement. It is the foundational obligation on which most other GDPR compliance depends: you cannot obtain valid consent, fulfill data subject rights requests, or demonstrate lawful processing without first meeting transparency obligations. Organizations that fail the 2026 CEF scrutiny are not just failing a transparency audit โ€” they are revealing gaps in the structural foundation of their GDPR compliance program.

What GDPR Transparency Requires

GDPRโ€™s transparency obligations are set out primarily in Articles 12, 13, and 14.

Article 12: General Transparency Principles

Article 12 establishes the framework obligations that apply to all transparency communications. It requires that information provided to data subjects be:

  • Concise: Not buried in lengthy policy documents that obscure material information
  • Transparent: Clear about what is happening and why, without vague or misleading language
  • Intelligible: Understandable by the average person, not just legal or technical experts
  • Easily accessible: Findable without requiring the data subject to navigate through multiple menus or links
  • In clear and plain language: No jargon, no legal boilerplate that obscures the substance

Article 12 also establishes timeframes for responding to data subject requests (generally one month, extendable to three months in complex cases) and sets the default requirement that information be provided free of charge.

Article 13: Information Provided at Collection

Article 13 applies when personal data is collected directly from the data subject โ€” through a form, an account registration, a sensor, or any other direct collection mechanism. At the time of collection, the controller must provide:

  • The identity and contact details of the controller (and DPO, if applicable)
  • The purposes and legal basis for processing
  • The legitimate interests pursued, if legitimate interests is the legal basis
  • Recipients or categories of recipients of personal data (including third-party sharing)
  • Transfers to third countries and the safeguards in place
  • Retention periods (or the criteria used to determine them)
  • Data subject rights (access, rectification, erasure, restriction, portability, objection)
  • The right to withdraw consent, if consent is the legal basis
  • The right to lodge a complaint with a supervisory authority
  • Whether provision of data is a contractual or statutory requirement, and the consequences of not providing it
  • The existence of any automated decision-making, including profiling, and meaningful information about the logic involved

This list is not aspirational โ€” every element is legally required. Omissions are enforceable violations.

Article 14: Information for Indirectly Collected Data

Article 14 applies when personal data is obtained from a source other than the data subject โ€” through data brokers, public records, partner lists, or any other indirect source. The same categories of information required under Article 13 must be provided, along with the source of the personal data. The time for providing this notice is within one month of obtaining the data, or at first contact with the data subject.

Article 14 compliance is where many organizations have the largest gaps. Direct-collection transparency (the privacy notice on your website or app) is familiar territory. Transparency about data acquired from third parties โ€” broker purchases, enriched contact lists, data pooling arrangements โ€” is less commonly implemented with equivalent rigor.

What the 2026 CEF Is Examining

The EDPBโ€™s 2026 CEF action specifically focuses on the practical implementation of Articles 12โ€“14. Based on the EDPBโ€™s announcement and guidance from participating authorities, the investigation is examining:

Privacy Notices

Are privacy notices actually compliant with Articles 12โ€“14? Participating DPAs are reviewing privacy notices for:

  • Completeness: Does the notice address all required elements, or does it omit required disclosures?
  • Accuracy: Does the notice describe the organizationโ€™s actual data practices, or does it contain vague or aspirational language that does not accurately reflect how data is processed?
  • Comprehensibility: Is the notice written in plain language, or is it a legal document that requires a law degree to interpret?
  • Accessibility: Can users find the privacy notice at the point where data is collected, or is it buried at the bottom of a page behind a small link?

Where consent is used as the legal basis for processing, DPAs are examining whether consent was obtained in a manner that meets GDPRโ€™s requirements for valid consent: freely given, specific, informed, and unambiguous. This includes:

  • Consent banners and cookie consent mechanisms
  • Account registration consent flows
  • Marketing consent checkboxes
  • Consent records โ€” can the organization demonstrate, for each processing activity based on consent, when and how consent was obtained?

Data Subject Communication

How does the organization communicate with data subjects when they exercise their rights? DPAs are examining:

  • Whether data subject requests (access, erasure, restriction) are responded to within required timeframes
  • Whether responses are in plain language or full of bureaucratic hedging
  • Whether the organization can locate and compile the personal data responsive to an access request
  • Whether refusals are legally justified and communicated with appropriate specificity

Layered Disclosure Practices

The EDPB has endorsed layered disclosure as a practical approach to the tension between completeness (long, comprehensive notices) and intelligibility (short, readable notices). The 2026 CEF is examining whether organizations using layered disclosure have implemented it correctly โ€” meaning the summary layer is accurate and the full layer is genuinely accessible, not just technically linked.

CEF Enforcement Pattern: What Previous Actions Produced

Understanding the 2026 CEF requires understanding what the prior CEF actions actually produced in terms of enforcement outcomes.

CEF 2022 (Cookie Banners): Multiple DPAs opened formal investigations based on CEF findings. The Irish DPC, French CNIL, and Belgian DPA each issued enforcement decisions related to cookie compliance in the 2022โ€“2024 period, with fines ranging from hundreds of thousands to hundreds of millions of euros. The CNILโ€™s enforcement against Google (โ‚ฌ150 million) and Facebook (โ‚ฌ60 million) in early 2022 pre-dated the CEF but was consistent with it.

CEF 2023 (Right of Access): Several authorities issued enforcement actions against organizations that failed to respond to access requests within the required timeframe or that provided inadequate responses. The EDPB published a report aggregating findings across participating authorities, identifying common compliance gaps.

CEF 2024 (DPO Designation): DPAs in multiple jurisdictions found organizations that were required to designate a DPO but had not, or that had designated DPOs who lacked the necessary qualifications or operational independence.

CEF 2025 (Right to Erasure): Enforcement actions were initiated against organizations that failed to properly handle erasure requests or that could not demonstrate they had deleted data across all systems where it was held.

The pattern across CEF actions is consistent: the EDPB selects a topic, 25 DPAs conduct simultaneous investigations, findings are aggregated, and the result is a wave of enforcement actions at the national level โ€” some resulting in fines, some resulting in orders to correct practices, and some resulting in formal guidance that sets a higher standard for all organizations going forward.

The 2026 CEF on transparency will follow this pattern.

Common Transparency Failures: What to Audit

Based on prior EDPB guidance and the known focus areas of the 2026 CEF, organizations should audit for the following common failure modes:

Many privacy notices list multiple legal bases without clearly connecting each legal basis to the specific processing activity it supports. Statements like โ€œwe process your data on the basis of legitimate interests or your consent, as applicableโ€ do not meet the Article 13 requirement to specify the legal basis for each processing purpose. Each purpose requires a clearly stated legal basis.

2. Retention Period Omissions

Article 13(2)(a) requires disclosure of retention periods, or if exact periods cannot be provided, the criteria used to determine them. Many privacy notices omit this entirely or provide aspirational statements (โ€œwe retain data only as long as necessaryโ€) that do not specify what โ€œnecessaryโ€ means in practice. A compliant retention disclosure specifies actual retention periods or articulates specific criteria: โ€œWe retain transaction records for seven years to meet our tax obligations under [applicable law].โ€œ

3. Third-Party Sharing Without Specificity

Article 13(1)(e) requires disclosure of โ€œrecipients or categories of recipients.โ€ Many privacy notices provide a generic list of categories (โ€œanalytics providers,โ€ โ€œmarketing partners,โ€ โ€œservice providersโ€) without sufficient specificity to enable data subjects to understand who actually receives their data. DPAs have increasingly required that privacy notices identify specific recipients or at minimum specific categories that are meaningful rather than generic.

4. Indirect Data Without Notice

Article 14 requires notice when data is obtained from third parties. Many organizations comply with Article 13 for data they collect directly while having no mechanism for providing Article 14 notice for data purchased from brokers or obtained through data sharing arrangements. The CEF is examining this gap specifically.

Where consent is the legal basis, Article 7(1) requires that the controller be able to demonstrate that consent was given. This is an evidentiary requirement: the organization must maintain records that show, for each processing activity based on consent, that consent was obtained, when it was obtained, and what the data subject was told at the time of consent. Organizations that collect consent through web forms, cookie banners, or account registration flows but do not maintain granular consent records will fail this element.

What Organizations Should Do

Conduct a Privacy Notice Audit

Review all privacy notices โ€” website privacy policies, in-app disclosures, employee privacy notices, vendor/partner notices โ€” against the Article 13 and 14 checklists. Document which required elements are present, which are missing or vague, and what remediation is needed.

Update Retention Schedules

If your privacy notice does not include specific retention periods or specific retention criteria, develop them now. This requires input from legal, compliance, IT, and records management functions. A data inventory that maps data categories to retention periods is the foundational document.

For each processing activity based on consent, verify: (a) the consent mechanism meets the GDPR standard for valid consent; (b) consent records are maintained and can be produced; and (c) the data subject was provided with accurate, complete information at the time consent was obtained.

Inventory Indirect Data Sources

Identify all sources from which you obtain personal data indirectly โ€” data brokers, partner lists, public records, third-party integrations. For each, determine whether Article 14 notice has been provided and, if not, implement a notice mechanism.

Review Data Subject Request Processes

Assess whether your organization can respond to data subject access, erasure, restriction, portability, and objection requests within the required timeframes, with the required completeness, and in plain language.

Conclusion

The EDPBโ€™s 2026 CEF on transparency is an active enforcement initiative, not a forthcoming one. Twenty-five data protection authorities are conducting investigations now. The scope of the review โ€” privacy notices, consent flows, data subject communications, and third-party data disclosures โ€” encompasses the foundational documentation of any GDPR compliance program.

Transparency is not a form-filling exercise. It is the mechanism by which individuals understand what is being done with their personal data and can exercise their rights. The EDPBโ€™s selection of transparency as the 2026 CEF focus reflects a sustained regulatory view that many organizations are still failing this fundamental obligation eight years into GDPRโ€™s enforcement era.

This article is provided for informational purposes only and does not constitute legal advice. Organizations with specific questions about GDPR transparency compliance should consult qualified data protection legal counsel.