Source: EDPB
The European Data Protection Board (EDPB) has announced a major coordinated enforcement action for 2026, focused on how businesses inform people about the use of their personal data. According to the EDPB, 25 data protection authorities (DPAs) across Europe are taking part in this initiative, which was launched on 19 March 2026.
The action falls under the EDPB's Coordinated Enforcement Framework (CEF), which brings together DPAs from across EU member states to work on a shared compliance theme each year. This year, the focus is on transparency and information obligations under the GDPR, specifically the requirements set out in Art. 12, Art. 13 and Art. 14.
In plain terms, these articles require businesses to clearly tell people what personal data they collect, why they collect it, how long they keep it and what rights people have. This information typically appears in a privacy policy or privacy notice on a website.
According to the EDPB, the participating DPAs will contact controllers from different sectors across Europe. This contact may take the form of a formal enforcement action or a fact-finding exercise. If a DPA finds issues during a fact-finding exercise, it may decide to take further follow-up action.
Later in 2026, the participating DPAs will share their findings with each other. A consolidated report will then be drafted and submitted for adoption by the EDPB. The EDPB has indicated that targeted follow-ups are anticipated at both national and EU levels.
It is not yet known which sectors will be targeted, what criteria DPAs will use to assess compliance, or whether fines or sanctions will result from the actions.
If your website collects any personal data, such as names, email addresses or browsing behaviour, your privacy notice needs to meet the requirements of Art. 12, Art. 13 and Art. 14 of the GDPR. Now is a good time to review whether your privacy policy is complete, written in plain language and easy for visitors to find. You can use our GDPR compliance checklist and privacy policy requirements guide to check whether your current setup holds up.
Source: EDPB, 19 March 2026
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkA large Belgian tech company received a total fine of 176,000 euro from the Belgian Data Protection Authority for failing to timely delete the mailbox of a former female employee.
Dutch legal blog Ius Mentis explains that GDPR makes it legally impossible to obtain valid consent for personal data use through terms of service or general conditions, and that Article 7(2) GDPR…
On 19 March 2026, the CJEU ruled in Case C-526/24 (Brillen Rottler) that a data subject's first DSAR can be refused as 'excessive' under Article 12(5) GDPR if the controller can demonstrate abusive…