preloader

· privacy gdpr compliance europe regulation enforcement

25 EU Data Protection Authorities Are Actively Reviewing Privacy Notices: What Articles 12 to 14 Require and How to Prepare

Source: European Data Protection Board

Enforcement under the GDPR is not waiting for further announcements. The European Data Protection Board (EDPB) has formally launched its 2026 Coordinated Enforcement Framework (CEF) action, directing 25 national data protection authorities across the European Economic Area to simultaneously examine how organisations comply with their information and transparency obligations under the GDPR. Controllers across multiple sectors are being contacted now, through both formal investigations and fact-finding exercises.

The 2026 action follows last year’s CEF focus on the right to erasure. The shift to transparency is deliberate. Transparency obligations are among the most widely and persistently breached provisions in the GDPR, and regulators have consistently found that organisations provide privacy notices that are technically present but practically inaccessible, vague in their descriptions of lawful bases, and silent on retention periods and data sharing arrangements. The EDPB has chosen to make 2026 the year that changes.

What the enforcement action covers

The scope of the 2026 CEF action encompasses Articles 5(1)(a), 12, 13, and 14 of the GDPR.

Article 12 sets the foundational standard: information provided to data subjects must be concise, transparent, intelligible, and easily accessible. It must be in clear and plain language, provided free of charge, and not require legal or technical expertise to understand.

Article 13 specifies what must be disclosed when data is collected directly from the individual. This applies to contact forms, checkout flows, newsletter signups, account registration, customer support interactions, and analytics. Required disclosures include the identity and contact details of the data controller and appointed DPO, the purpose and lawful basis for each processing activity, the retention period for each category of data, the data subject’s rights and how to exercise them, and whether data will be transferred outside the EEA and under what mechanism.

Article 14 carries equivalent requirements when data is obtained indirectly, such as from marketing databases, lead generators, advertising data partners, and data enrichment services.

Who faces exposure

The participating DPAs are contacting controllers across multiple sectors. The EDPB has not published a sector-specific target list, which means the enforcement perimeter is broad. Any organisation that uses analytics scripts, advertising pixels, or tracking technologies on its website; that collects email addresses for any purpose; that processes customer or employee personal data; that uses third-party data to inform marketing or sales activity; or that receives personal data from partners or resellers falls within the scope of Articles 13 and 14.

Unlike some previous coordinated actions focused on large platforms, the 2026 CEF action is technology-neutral. A business with a simple contact form and a newsletter list faces the same compliance standard as a large enterprise with a complex data architecture. The obligations scale with the processing activity, not with the size of the organisation.

What regulators are specifically looking at

Based on the requirements of Articles 12 to 14 and patterns from previous CEF investigations, DPA audits under this action are likely to examine whether privacy notices are prominently accessible before data collection begins; whether notices identify every processing purpose and the corresponding lawful basis for each one specifically; whether recipients or categories of recipients are named rather than referred to as “trusted partners”; whether retention periods are specific rather than vague formulations like “as long as necessary to fulfil our purposes”; whether data subject rights and the mechanism for exercising them are clearly described; and whether third-country transfer mechanisms are identified where personal data leaves the EEA.

DPAs may initiate contact through a formal investigation or through a fact-finding exercise. A fact-finding letter is not itself a fine, but it can become the precursor to a formal investigation if the initial examination reveals compliance gaps. Receiving a fact-finding letter and responding with a privacy notice that does not meet the requirements is not a satisfactory outcome.

The AI Act timing conflict

There is an additional dimension to the 2026 CEF action that organisations preparing for other regulatory deadlines should factor into their planning. The EU AI Act’s compliance deadline for high-risk AI systems falls on 2 August 2026. High-risk systems used in employment decisions, credit scoring, and access to essential services carry their own transparency and information obligations for affected individuals.

An organisation that meets the AI Act’s transparency requirements for a given processing activity but fails the GDPR’s Article 13 standard for the same activity faces exposure from both frameworks simultaneously. The practical advice is to review both sets of obligations together rather than treating them as separate compliance workstreams.

What to do before a DPA contacts you

There is no advance notice of which organisations will be contacted or when. By the time contact arrives, the window for proactive self-correction has effectively closed. The practical steps are to act now.

Audit your privacy notices against Articles 13 and 14 in detail. Compare what your privacy notice says against each required disclosure. Where your notice says “we may share your data with trusted partners,” replace it with an enumeration of the actual categories of partners and the purpose of each sharing arrangement.

Map your data flows against your notice. If your privacy notice does not accurately reflect the processing activities documented in your data flow records, it fails the most basic accuracy requirement regardless of how well-written it is.

Verify lawful basis specificity. Legitimate interests is a valid lawful basis, but it requires a legitimate interests assessment and a clear explanation of what the interest is and why it overrides data subject rights. A bare assertion of legitimate interests without further detail will not survive examination.

Check your consent mechanisms. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consent, and consent collected before a clear description of what it covers are consistently flagged in DPA investigations across EU member states.

Review your Article 14 compliance. If you purchase data from any source, work with advertising partners, or use data enrichment services, identify what your Article 14 notice looks like and confirm that it has actually been provided to the individuals concerned within the required timeframe.

The EDPB will aggregate findings from all 25 participating DPAs in the second half of 2026 and publish a consolidated report. Organisations found to be non-compliant face national enforcement action through their own DPA, which may include corrective orders, fines, and publication of the enforcement decision.

If you want help auditing your privacy notices against Articles 12 to 14, mapping your data processing activities against your current GDPR documentation, or building a compliance posture that holds up under direct DPA scrutiny, contact Excello Digital. We advise European organisations on current GDPR obligations and the incoming changes under the Digital Omnibus package, so your compliance work stays coherent as the regulatory environment continues to shift.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!