The European Data Protection Board (EDPB) has launched its 2026 Coordinated Enforcement Framework action, putting GDPR transparency and information obligations under direct supervisory focus across Europe.
This is current-year enforcement activity, not a retrospective case note. During 2026, 25 European data protection authorities will assess whether controllers give individuals clear, complete, and accessible information about how their personal data is processed. The action covers the GDPR’s transparency framework, especially Articles 12, 13, and 14.
For HR, marketing, and senior compliance teams, the message is practical: privacy notices, collection notices, recruitment notices, cookie journeys, and vendor-facing data flows need to be accurate before a regulator asks to see them.
Summary & Key Facts
| Detail | Information |
|---|---|
| Regulatory action | EDPB Coordinated Enforcement Framework 2026 |
| Topic | GDPR transparency and information obligations |
| Announced | 19 March 2026 |
| Participating authorities | 25 European data protection authorities |
| Relevant GDPR provisions | Articles 12, 13, and 14 |
| Likely methods | Fact-finding exercises, direct supervisory checks, and enforcement follow-up where needed |
| Main risk for organisations | Privacy information that is incomplete, unclear, stale, or inconsistent with real processing |
The EDPB uses coordinated enforcement to align supervisory priorities across Europe. A coordinated action does not mean every organisation will be contacted, but it does mean regulators are looking at the same compliance theme at the same time. That raises the chance of common findings, shared regulatory expectations, and follow-up action where controllers fall short.
What The EDPB Is Looking At
The 2026 action focuses on whether individuals are properly informed when their data is processed. GDPR transparency is not just a legal notice exercise. It requires information to be concise, intelligible, easily accessible, and written in clear language.
Article 13 applies when an organisation collects personal data directly from the individual. Article 14 applies when personal data is obtained from another source, such as a data broker, referral partner, scraped source, public register, recruitment platform, analytics vendor, or group company. Article 12 sets the standard for how that information must be presented and how rights communications should work.
The EDPB’s announcement says participating authorities may contact controllers from different sectors through enforcement actions or fact-finding exercises. If a fact-finding review shows weaknesses, authorities may decide to take additional follow-up action.
Why This Matters In 2026
Transparency failures often sit underneath bigger compliance problems. If a privacy notice says one thing while the business does another, the organisation may also have problems with lawful basis, purpose limitation, consent, retention, data sharing, or data subject rights.
The 2026 focus is especially important because many organisations have added new data uses quickly: AI tools, recruitment automation, customer profiling, first-party advertising systems, employee monitoring, enrichment vendors, and cross-border SaaS platforms. Each new processing activity needs a corresponding transparency check.
A regulator reviewing transparency will not only read the privacy notice. It may compare that notice against actual data flows, vendor lists, consent records, DPIAs, cookie tools, CRM fields, HR systems, and data subject request handling.
What Managers Should Check Now
HR Teams
- Recruitment notices: Confirm applicants are told what data is collected, where it comes from, who receives it, how long it is kept, and whether automated screening or assessment tools are used.
- Employee privacy information: Review notices for monitoring, absence management, performance tools, wellbeing schemes, device management, and workplace analytics.
- Third-party data sources: If HR receives data from background screening providers, recruiters, assessment vendors, or public profiles, check whether Article 14 information is complete and timely.
- Plain-language rights information: Employees and candidates should be able to understand how to exercise access, correction, deletion, restriction, objection, and portability rights where applicable.
Senior Leadership
- Match notices to reality: Ask legal, privacy, HR, IT, marketing, and procurement to confirm whether published privacy notices match current processing. Gaps between documentation and practice are a common enforcement trigger.
- Create ownership for notice updates: Privacy information often becomes stale because no team owns review cycles. Assign clear ownership and set a quarterly review rhythm for high-change areas.
- Check processor and controller roles: If your organisation receives data from partners, group entities, public sources, or vendors, document whether Article 13 or Article 14 applies and who gives the notice.
- Keep evidence: Regulators may ask not only what your privacy information says, but when it was reviewed, who approved it, and how it maps to processing records.
Marketing
- Targeted advertising and analytics: Check whether your privacy notice explains profiling, advertising partners, cookies, pixels, conversion APIs, customer match tools, and opt-out rights accurately.
- Lead generation sources: If marketing imports data from events, webinars, partners, lists, enrichment tools, or social platforms, confirm Article 14 notices are handled properly.
- Consent journeys: Cookie banners and email sign-up flows should match the privacy notice and avoid vague descriptions of tracking or data sharing.
- Preference centres: Make sure opt-outs work in practice and that users can understand the difference between service messages, marketing emails, profiling, and advertising cookies.
Common Transparency Failures
| Risk Area | What Goes Wrong | Practical Fix |
|---|---|---|
| Stale privacy notices | Notices do not mention new tools, vendors, or data uses | Compare notices against records of processing and vendor registers |
| Vague purposes | Broad wording such as “business purposes” hides the real processing | Use specific purposes tied to actual workflows |
| Missing Article 14 notices | Individuals are not told when data comes from third-party sources | Identify indirect data sources and set notice triggers |
| Unclear retention periods | Notices say data is kept “as long as needed” without criteria | Add periods or clear retention criteria by data category |
| Poor rights information | Rights are listed but the route to exercise them is unclear | Provide a simple contact route and expected response process |
| Inconsistent cookie disclosures | Cookie banner, cookie policy, and privacy notice do not match | Reconcile all tracking disclosures against live tags |
EU GDPR vs UK GDPR: What UK Organisations Should Note
The EDPB’s coordinated enforcement action is an EU GDPR initiative. It does not directly bind UK-only organisations that are outside EU GDPR scope. UK organisations are regulated by the ICO under the UK GDPR and Data Protection Act 2018.
However, UK organisations with EU customers, EU employees, EU establishments, or services that monitor individuals in the EU may still fall within EU GDPR. Even where EU GDPR does not apply directly, the UK GDPR contains comparable transparency duties. UK compliance teams should therefore treat the EDPB action as a useful signal of wider regulatory expectations.
Action Plan Before A Regulator Calls
- Inventory notices: Gather privacy notices, employee notices, recruitment notices, cookie notices, app notices, and just-in-time collection messages.
- Map them to processing: Compare each notice against records of processing, DPIAs, vendor registers, cookie scans, CRM fields, HR systems, and data flows.
- Fix indirect collection gaps: Identify where data is received from third parties and confirm Article 14 information is provided unless a valid exemption applies.
- Test readability: Remove legalistic phrasing where possible and check that frontline users can understand the notice without specialist knowledge.
- Evidence review: Keep dated records showing what was reviewed, what changed, and who approved the updated notices.
Related Guidance
- EDPB – CEF 2026 transparency enforcement announcement
- EU GDPR Article 12 – transparent information and communication
- EU GDPR Article 13 – information where personal data is collected from the data subject
- EU GDPR Article 14 – information where personal data has not been obtained from the data subject
This article reflects current 2026 EDPB enforcement activity and does not constitute legal advice. Organisations should take advice on their own EU GDPR and UK GDPR scope before making compliance decisions.
