The European Data Protection Board (EDPB) has launched its 2026 Coordinated Enforcement Framework (CEF) action, turning its focus to transparency and information obligations under Articles 12, 13, and 14 of the GDPR. 25 Data Protection Authorities across Europe will participate, assessing how controllers inform individuals about the collection, use, and sharing of their personal data.
The action follows last year’s coordinated effort on the right to erasure, which surfaced recurring challenges including a lack of appropriate internal procedures, reliance on ineffective anonymisation techniques, and difficulties in determining appropriate data retention periods. This year’s transparency focus signals that regulators view privacy notices and information practices as an area where compliance remains uneven — and where enforcement may now intensify.
Participating DPAs will contact controllers from different sectors through enforcement actions or fact-finding exercises. The results will be aggregated and analysed to generate insights for targeted follow-up at both national and European levels. Organisations should expect questionnaires, audits, and, in some cases, formal investigations into how they communicate processing purposes, legal bases, retention periods, and data subject rights.
The CEF is a key action under the EDPB’s 2024–2027 Strategy, aimed at streamlining enforcement and cooperation among DPAs. With transparency singled out as this year’s priority, controllers operating across multiple EU jurisdictions face coordinated regulatory scrutiny for the first time on this specific topic.
Acompli perspective: This is a practical compliance test, not a theoretical one. Organisations should audit their privacy notices now — checking that information is concise, easily accessible, and genuinely reflects current processing activities. Maintaining an accurate record of processing activities is the foundation for defensible transparency, while structured data mapping ensures that what you tell individuals matches what actually happens. Regulators are looking for evidence that transparency is operationalised, not just documented.