EDPB 2026 Enforcement: GDPR Transparency & Privacy Notice Ru

The European Data Protection Board (EDPB) has announced a major coordinated enforcement action for 2026, focused on how businesses inform people about the use of their personal data. According to the EDPB, 25 data protection authorities (DPAs) across Europe are taking part in this initiative, which was launched on 19 March 2026.

What is this about?

The action falls under the EDPB's Coordinated Enforcement Framework (CEF), which brings together DPAs from across EU member states to work on a shared compliance theme each year. This year, the focus is on transparency and information obligations under the GDPR, specifically the requirements set out in Art. 12, Art. 13 and Art. 14.

In plain terms, these articles require businesses to clearly tell people what personal data they collect, why they collect it, how long they keep it and what rights people have. This information typically appears in a privacy policy or privacy notice on a website.

What will the DPAs actually do?

According to the EDPB, the participating DPAs will contact controllers from different sectors across Europe. This contact may take the form of a formal enforcement action or a fact-finding exercise. If a DPA finds issues during a fact-finding exercise, it may decide to take further follow-up action.

Later in 2026, the participating DPAs will share their findings with each other. A consolidated report will then be drafted and submitted for adoption by the EDPB. The EDPB has indicated that targeted follow-ups are anticipated at both national and EU levels.

It is not yet known which sectors will be targeted, what criteria DPAs will use to assess compliance, or whether fines or sanctions will result from the actions.

What does this mean for your website?

If your website collects any personal data, such as names, email addresses or browsing behaviour, your privacy notice needs to meet the requirements of Art. 12, Art. 13 and Art. 14 of the GDPR. Now is a good time to review whether your privacy policy is complete, written in plain language and easy for visitors to find. You can use our GDPR compliance checklist and privacy policy requirements guide to check whether your current setup holds up.

---

Source: EDPB, 19 March 2026

What about UK websites?

The UK is outside the EDPB and not part of this 25-DPA coordinated action. The ICO operates independently under UK GDPR and runs its own transparency-enforcement programme. UK GDPR Article 13 and 14 disclosure obligations mirror the EU regime, so the practical compliance bar for privacy-notice content is very similar, but enforcement is handled by the ICO alone.