CEF 2026: Coordinated Enforcement — GDPR Transparency Obligations

The European Data Protection Board's Coordinated Enforcement Framework is not a theoretical exercise. Since its launch in 2022, CEF actions have produced binding decisions, substantial fines, and corrective orders against controllers across the EU and EEA. For 2026, the EDPB has selected GDPR transparency obligations as the focal theme — and every organisation that processes personal data in the EU is within scope.

This article explains what the CEF 2026 action covers, which obligations are being examined, what a compliant transparency notice must contain under Articles 13 and 14, the penalties attached to non-compliance, and the enforcement timeline organisations should be planning around.

What Is the Coordinated Enforcement Framework?

The CEF is a mechanism established by the EDPB that coordinates simultaneous national enforcement actions across member state supervisory authorities. Rather than leaving enforcement to individual DPAs acting in isolation, the CEF selects a single theme each year and directs all participating DPAs to investigate the same issue at the same time.

The 2022 CEF targeted cloud use by public bodies. The 2023 action focused on DPO designation and position. The 2024 action examined the right of access. Each produced a harmonised EDPB report and, in many cases, enforcement decisions against individual controllers.

The 2026 CEF targets transparency. This means that supervisory authorities across 27 EU member states and three EEA member states will be conducting coordinated investigations into whether controllers are meeting their transparency obligations under Articles 13 and 14 of the GDPR.

Which Organisations Are at Risk?

The CEF 2026 transparency action applies to any organisation that processes personal data of individuals in the EU or EEA. There is no sector carve-out and no size threshold.

Organisations at elevated risk are those that:

• Collect personal data through websites, apps, or digital services without providing layered, accessible privacy notices
• Process data for multiple purposes without clearly distinguishing the legal basis for each
• Share data with third parties, processors, or international recipients without disclosing this in a way that is specific rather than generic
• Use automated decision-making or profiling without providing the information required by Article 13(2)(f)
• Have not updated their privacy notices since the GDPR came into application in 2018

B2C organisations — particularly in e-commerce, financial services, healthcare, and HR — will face heightened scrutiny because they process large volumes of data subject information. However, B2B controllers are not exempt: Article 14 applies to any data collected from sources other than the data subject themselves, which includes purchased databases, publicly scraped data, and data received from business partners.

What Must a Transparency Notice Contain Under Article 13?

Article 13 applies when personal data is collected directly from the data subject. At the point of collection, the controller must provide the following information:

Identity and contact details. The name, address, and contact details of the controller. Where a data protection officer has been appointed, their contact details must also be provided.

Purposes and legal basis. Each processing purpose must be identified together with the legal basis relied upon. Where the legal basis is legitimate interests under Article 6(1)(f), the specific legitimate interest must be described. A general statement that processing is "based on legitimate interests" without identifying what those interests are does not satisfy Article 13.

Recipients or categories of recipients. Where data is shared with third parties, processors, or joint controllers, the identity or at minimum the category of those recipients must be disclosed. The practice of listing dozens of advertising technology vendors in a separately accessible consent management platform may satisfy consent requirements under the ePrivacy Directive but does not substitute for the Article 13 transparency notice.

International transfers. Where data is transferred to countries outside the EU/EEA, the destination country and the safeguard relied upon under Article 46 must be named. A general statement that "data may be transferred internationally" is insufficient.

Retention periods. The period for which data will be retained, or where that is not possible, the criteria used to determine the period.

Data subject rights. The existence of the right to access, rectification, erasure, restriction, portability, and objection, together with the right to withdraw consent where processing is based on consent, and the right to lodge a complaint with a supervisory authority.

Automated decision-making. Where the controller carries out automated decision-making, including profiling, with significant effects, Article 13(2)(f) requires that this be disclosed together with meaningful information about the logic involved and the significance and envisaged consequences.

What Must Be Provided Under Article 14?

Article 14 applies where personal data is not obtained directly from the data subject. This is the provision governing data brokers, recruiters who source candidate data from LinkedIn, CRM data imported from third parties, and similar scenarios.

The information required under Article 14 is substantially the same as under Article 13, with two additional requirements. First, the controller must disclose the categories of personal data concerned. Second, the controller must disclose the source from which the data was obtained.

Article 14 also imposes a timing obligation. The information must be provided within a reasonable period — at most within one month of obtaining the data — or at the time of the first contact with the data subject, or when data is first disclosed to another recipient, whichever is earlier.

The CEF 2026 action is expected to probe Article 14 compliance particularly closely, because it is the provision most commonly overlooked by organisations that have invested in consumer-facing privacy notices but have not addressed their data acquisition practices.

Fines and Corrective Powers

Non-compliance with Articles 13 and 14 constitutes a violation of the GDPR's transparency principles. Under Article 83(1) and (2), supervisory authorities have full discretion to impose administrative fines of up to €10 million or 2% of total worldwide annual turnover for procedural violations. Where the violation relates to the core principles of processing — including the transparency principle in Article 5(1)(a) — fines can reach €20 million or 4% of total worldwide annual turnover under Article 83(5), whichever is higher.

Fines are not the only corrective measure available. Supervisory authorities can also issue reprimands, temporary or permanent bans on processing, and orders to communicate to data subjects. A public reprimand carries reputational consequences that often exceed the financial impact of the fine itself.

Enforcement Timeline

The CEF 2026 transparency action is expected to begin with DPA investigations launching in the first half of 2026. Organisations identified for investigation will typically receive questionnaires from their lead supervisory authority or the relevant national DPA, requesting documentation including privacy notices, records of processing activities, and evidence of how and when notices are presented to data subjects.

Following the investigation phase, the EDPB will collate national findings and produce a harmonised enforcement report. Past CEF cycles have completed this phase within twelve to eighteen months of the investigation launch.

Organisations that self-identify and remediate before receiving a DPA questionnaire are in a materially better position. Supervisory authorities consistently treat proactive remediation as a mitigating factor in fine calculations.

Steps to Take Now

Review every privacy notice in your estate against the Article 13 and Article 14 checklists above. Identify any purpose, legal basis, recipient, or transfer that is referenced vaguely or omitted entirely.

Audit your data acquisition channels to determine where Article 14 applies and whether the required information is being provided within the statutory timeframe.

Check that your layered notice design actually delivers the required information at the first layer, rather than burying it in an "additional information" section that data subjects rarely read.

Review your records of processing activities to confirm that every processing activity is reflected in a transparency notice and that the notice language matches the RoPA entry precisely.

Frequently Asked Questions

Does the CEF 2026 action mean my organisation will definitely be investigated? Not necessarily. DPAs select organisations for investigation based on their own risk criteria. However, the CEF creates a systemic enforcement push: the number of investigations run under a CEF action is far higher than those run outside one. Non-compliant organisations face a materially elevated risk of investigation during a CEF cycle compared to non-CEF periods.

Is a cookie banner sufficient to satisfy Article 13? No. A cookie consent banner addresses consent under the ePrivacy Directive and may satisfy Article 6(1)(a) of the GDPR for cookie-based processing. It does not substitute for a complete privacy notice satisfying all Article 13 requirements.

Do processors need to comply with Articles 13 and 14? Articles 13 and 14 bind controllers, not processors. However, processors who also act as independent controllers for any purpose — including HR data processing or vendor management — must comply as controllers for those activities.

What is the difference between a privacy policy and a transparency notice? In practice they are often the same document. The GDPR does not mandate a specific format. What it requires is that the information in Articles 13 and 14 is provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, at the time of collection.

Sources

• Regulation (EU) 2016/679 (GDPR), Article 5(1)(a) (Transparency principle), Article 13 (Information to be provided where personal data is collected from the data subject), Article 14 (Information to be provided where personal data has not been obtained from the data subject)
• GDPR, Article 83(1), (2), (5) (Conditions for imposing administrative fines)
• EDPB Coordinated Enforcement Framework — 2022, 2023, 2024 cycle reports
• EDPB Guidelines 01/2022 on data subject rights — right of access
• EDPB Work Programme 2025–2026 (transparency enforcement theme)