On 19 March 2026, the European Data Protection Board (EDPB) officially launched the fifth edition of the Coordinated Enforcement Framework (CEF) — a coordinated GDPR enforcement action carried out simultaneously by national supervisory authorities across Europe. The topic for this year: transparency and information obligations under Articles 12, 13, and 14 GDPR.
25 European data protection authorities have joined the action. The results of national activities will be aggregated and analysed in the second half of 2026, with the EDPB publishing a summary report with recommendations for follow-up actions.
What Is CEF
The Coordinated Enforcement Framework is a mechanism introduced by the EDPB under which supervisory authorities across the EU simultaneously examine a selected topic at national level. Each edition covers a different issue. Previous CEF actions addressed the designation and role of DPOs (2023), the right of access (2024), and the right to erasure (2025).
The 2026 topic — transparency — was selected during the EDPB plenary meeting in October 2025.
Why Transparency
The right to information is one of the foundations of the GDPR. Article 12 sets out general requirements for the form and manner of providing information — in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Article 13 addresses information to be provided when data is collected directly from the individual. Article 14 covers information to be provided when data is obtained from another source.
In practice, information obligations remain one of the most frequently violated areas of the GDPR. Supervisory authority inspections regularly identify:
- privacy notices copied from templates, not adapted to the organisation’s actual processing activities
- multi-page documents written in legal language, incomprehensible to the average reader
- missing information about specific categories of data recipients
- outdated notices — referring to processes, systems, or legal bases that no longer exist
- missing notices in situations where data is collected outside a form (e.g., CCTV, profiling, cookies)
CEF 2026 aims to gather data on the scale of these problems in a systematic, comparable manner across all participating countries.
How the Action Will Proceed
Each supervisory authority decides on the form of its activities — these may include formal inspections, questionnaires sent to controllers, analyses of privacy notices on websites, or sector-specific reviews. The EDPB does not impose a uniform methodology but provides a common thematic framework.
In previous CEF editions, supervisory authorities used both enforcement actions (leading to decisions and potential sanctions) and fact-finding exercises — collecting data without direct consequences for the reviewed entities.
Results will be aggregated and published in an EDPB report, which will serve as the basis for further recommendations — at both European and national level.
What Organisations Should Do Now
CEF 2026 is a signal that supervisory authorities will be actively reviewing privacy notices in the coming months. This is a good time to review documentation against several key questions:
Are Your Privacy Notices Up to Date
A notice written in 2018 and never updated almost certainly does not reflect the current state of processing. New IT systems, new sub-processors, new processing purposes — each of these changes should be reflected in the information provided to data subjects.
Are Notices Linked to the Record of Processing Activities
The information obligation under Articles 13 and 14 GDPR requires specifying, among other things, processing purposes, legal basis, categories of recipients, and retention periods. The same information should come from the record of processing activities. If the notice says something different from the record — that is a problem.
Are Notices Understandable
Article 12 GDPR requires that information be provided in “clear and plain language.” A notice that reads like a legal statute does not meet this requirement — even if it is substantively complete.
Do Notices Cover All Data Collection Channels
Many organisations have a privacy notice on their website but lack one for paper forms, recruitment processes, CCTV systems, or mobile applications. Every point of data collection requires a separate or appropriately adapted information notice.
Summary
CEF 2026 is the fifth edition of coordinated GDPR enforcement, this time focused on transparency and information obligations under Articles 12-14. 25 supervisory authorities across Europe will review how organisations inform individuals about data processing. Results will be published in the second half of 2026. For controllers, this is a signal to review and update privacy notices — before the supervisory authority does it for them.
Source: EDPB
FAQ
Yes — any organisation subject to the GDPR under Article 3, including those outside the EU offering goods or services to individuals in Europe, may be reviewed.
Not necessarily. Supervisory authorities use different forms of action — from formal inspections to questionnaires to analyses of publicly available privacy notices. Not every organisation will be directly inspected.
Violations of Articles 12-14 GDPR are subject to administrative fines of up to EUR 20 million or 4% of annual turnover (Article 83(5)(b) GDPR). In practice, fines for information obligation failures alone tend to be lower but often form part of broader violations found during inspections.
There is no formal requirement for separate notices — but the notice must cover all information required by Article 13 or 14 GDPR for each processing purpose. In practice, many organisations use a layered approach: short summary plus full version.
Compare it with your record of processing activities. Every activity in the record should have a corresponding entry in the notice — the same purpose, the same legal basis, the same recipients, the same retention period.
Generate information notices directly from the record of processing activities
iGDPR generates information notices based on data from the record of processing activities. Change a process — update the notice. No copying templates. See how it works in practice.
START FREE TRIAL — 21 days, no commitment