EDPB Announces 2026 Coordinated Enforcement Action on GDPR Transparency (Articles 12-14): A Guide for Global Organisations.

Executive Summary

On October 14, 2025, the European Data Protection Board (EDPB) announced that its 2026 Coordinated Enforcement Action (CEA) will target transparency and information obligations under GDPR Articles 12, 13, and 14. This EU-wide action will see national Data Protection Authorities (DPAs) jointly investigate how organizations inform individuals about the collection, use, and sharing of their personal data.

For global organizations, this signals a critical shift. Regulators are moving beyond "check-the-box" compliance and will be actively scrutinizing the clarity, accessibility, and completeness of privacy notices. Non-compliance risks significant fines and reputational damage. This article breaks down what the 2026 CEA means, who it affects, and how your organization can prepare.

1. What is the EDPB Coordinated Enforcement Action (CEA)?

Each year, the EDPB, which is composed of all national data protection authorities (DPAs) across the European Economic Area (EEA), selects a key GDPR topic for a coordinated "deep dive."

  • What is it? A CEA is a joint initiative where DPAs across the EEA simultaneously investigate the same compliance topic.
  • Why does it matter? It allows authorities to pool resources, share findings, and ensure the GDPR is applied consistently.
  • The Result: A sharp increase in audits, investigations, and potential enforcement actions related to the chosen topic.

Past CEAs have focused on Data Protection Officers (DPOs) and the Right of Access. The 2026 focus on transparency is arguably the most fundamental yet, as it forms the bedrock of all data subject rights.

2. The 2026 Focus: Deconstructing GDPR Articles 12, 13, & 14

The EDPB's action will scrutinize compliance with three core articles. These rules govern how you tell people about your data processing.

Article 12: The "How" — Your Obligations for Transparency

This article sets the quality standard for your communications. All information must be:

  • Concise: No unnecessary long-winded text.
  • Transparent: Clear, not deceptive.
  • Intelligible: Easy for your target audience to understand (no "legalese").
  • Easily Accessible: Not hidden in a footer, on a hard-to-find page.
  • In Clear and Plain Language: Especially crucial if addressing children.

Article 12 also sets the timelines for responding to data subject requests (e.g., for access or erasure), typically within one month.

Article 13: The "What" — Information to Provide When Collecting Data Directly

When you get data directly from the individual (e.g., they fill out a website form, sign up for a newsletter, or create an account), you must provide them with the following at the time of collection:

  • Who you are (Controller's identity and contact details).
  • Your DPO's contact details (if you have one).
  • What you're doing with their data (the "purposes" of processing).
  • Why you're allowed to (the "legal basis," e.g., consent, contract, legitimate interest).
  • Who you'll share it with (recipients or categories of recipients).
  • If you'll send it outside the EEA (and what safeguards are in place).
  • How long you'll keep it (the retention period).
  • Their Rights (access, rectification, erasure, objection, etc.).
  • Their right to withdraw consent (if consent is your legal basis).
  • Their right to complain to a DPA.

Article 14: The "What" — Information to Provide When Collecting Data Indirectly

This is a common blind spot. When you get data from a third-party source (e.g., a data broker, a partner company, or a public list), you still have to inform the individual.

You must provide all the information from Article 13, plus two crucial additions:

  • The categories of personal data you have collected (e.g., "contact details," "professional history").
  • The source of the data (e.g., "from our partner, XYZ Corp" or "from publicly available sources").

You must provide this information within a "reasonable period," and no later than one month after obtaining the data.

3. What the 2026 CEA Means for Your Global Organisation

1. Increased Scrutiny on "Day One" Compliance: Your privacy notice is often the first document a regulator or auditor will read. A notice that is vague, incomplete, or hard to find is an immediate red flag that signals deeper compliance issues.

2. The End of "Legalese": DPAs will be testing whether a regular person can understand your practices. Simply copying and pasting legal text is a clear path to non-compliance. Expect a focus on user experience (UX), "just-in-time" notices, and layered formats.

3. Global Impact, Local Enforcement: This action applies to any organization in the world that processes the personal data of individuals in the EEA (e.g., offering goods or services, or monitoring their behaviour). You don't need a physical presence in the EU to be investigated and fined.

4. The Risk is Real: Fines for transparency breaches can fall under the higher tier of GDPR penalties—up to €20 million or 4% of global annual turnover, whichever is higher.

4. Quick-Fire Q&A: Preparing for the 2026 Transparency Action

Q: We are a B2B company. Does this still apply to us?

A: Yes. You still process personal data, even if it's just the contact details (name, email, phone) of your business clients or prospects. If you obtain a list of leads from a third party, Article 14 applies.

Q: What is the single biggest mistake companies make with transparency?

A: Using vague, "catch-all" language. Phrases like "we may use your data for marketing purposes" or "we may share data with partners" are insufficient. You must be specific about what purposes and which partners (or at least categories of partners).

Q: Our privacy notice was written by lawyers. How can we make it "intelligible"?

A: Use a layered approach.

  • Layer 1: A simple, high-level summary with key points.
  • Layer 2: A more detailed, "click-to-expand" section for each topic (e.g., "Marketing," "Analytics," "Data Sharing").
  • Layer 3: The full, comprehensive legal text for those who want it. Also, involve your marketing and UX teams. Test your notice with real users.

Q: We have hundreds of data collection points. Where do we even start?

A: You must start with a data map. You cannot be transparent about what you're doing if you don't know what you're doing. This is where a dedicated privacy compliance management platform becomes essential.

5. How Formiti Data International and Privacy360 Can Help

The 2026 EDPB Coordinated Enforcement Action on transparency isn't just a legal challenge; it's an operational data governance challenge.

At Formiti Data International, we are experts in navigating complex global data protection regulations. We don't just provide legal advice; we provide a practical, technology-driven path to compliance.

Our Privacy360 Privacy Compliance Management Platform is purpose-built to solve this exact problem.

Achieve Demonstrable Transparency with Privacy360:

  • Centralised Notice Management: Manage all your privacy notices (for websites, apps, employees, etc.) from a single, auditable platform.
  • Version Control: Automatically track all changes to your notices, creating a historical record to demonstrate accountability to regulators.
  • Link to Your Data Map: Connect your privacy notices directly to your Article 30 Records of Processing Activities (ROPAs). This ensures that what you say you're doing (in your notice) matches what you're actually doing (in your records).
  • Operationalise Article 14: Privacy360 helps you manage the process of notifying individuals whose data you've obtained indirectly, ensuring you meet the 30-day deadline.
  • Audit-Ready Reporting: When a DPA comes knocking, generate a complete, time-stamped report of your transparency notices and data processing activities with a single click.

Your Next Steps

The 2026 enforcement action is not a distant threat; it is a clear statement of intent from Europe's top regulators. The time to prepare is now.

Don't wait to be investigated. Move from "check-the-box" compliance to a culture of demonstrable transparency.

Contact Formiti Data International today for a strategic consultation on the EDPB's 2026 CEA, or request a demo of our Privacy360 platform to see how you can automate and simplify your transparency obligations.