The European Data Protection Board (EDPB) has assessed compliance with transparency and Duty to inform as the next EU-wide audit priority for 2026. Specifically, the data protection authorities of the EU member states are to jointly investigate whether companies and public bodies are complying with their legal obligations under Articles 12, 13, and 14. GDPR properly comply. Specifically, this means: Whether affected Individuals are adequately informed about when and how their personal data is processed.
Coordinated approach (CEF) by data protection authorities
The joint action by the supervisory authorities is taking place within the framework of the Coordinated Enforcement Framework (CEF), which was established by the EDPB. The aim of the CEF is to strengthen cooperation between national data protection authorities and to ensure uniform enforcement of the GDPR in Europe. Participation is voluntary. The participating supervisory authorities focus on the same priority topic at the same time and conduct investigations in their respective countries. The results are then compiled in a joint report at EU level, best practices are identified, and weaknesses in the implementation of the requirements are highlighted. If necessary, recommendations or further enforcement measures follow.
The 2026 priority audit „Transparency and Duty to inform“ is already the fifth joint action. In recent years, the EDSA has conducted coordinated audits on topics including:
- 2023: Appointment and duties of data protection officers
- 2024: Implementation of the right to information by Responsible persons (Art. 15) GDPR)
- 2025: Right to Deletion (Art. 17 GDPR)
The choice of the new focus is in line with the EDSA's longer-term strategy, which aims to achieve more consistent and coordinated enforcement of the GDPR aims at.
What does this mean for companies in concrete terms?
The supervisory authorities are expected to use standardized questionnaires to survey the status of transparency measures at many organizations. Depending on the country, they can then either conduct broad random checks or initiate targeted formal audit procedures with individual controllers. In any case, it is to be expected that data protection declarations and similar documentation will be requested and checked for compliance. If violations are found, the authorities have the option of taking further steps, including sanctions.
Violations of transparency requirements are also not „minor formalities“: they affect core principles of GDPR.
At the same time, the campaign offers an opportunity: Anyone who Transparency Convincingly implementing this strengthens trust and reduces complaints, inquiries, and legal risks.
Reading tip: Data protection authorities are reviewing AI use! Companies must now answer these 7 questions
Weaknesses from Articles 12, 13, and 14 of the GDPR in practice
From a practical perspective, supervisory authorities are likely to focus primarily on the following „classic weaknesses“:
- Clarity and comprehensibility:
Is the privacy policy written in language that is understandable to the target audience? Are important details hidden in the „fine print“ or in legal jargon? - Completeness of information:
If all of the information specified in Articles 13 and 14 GDPR prescribed information, such as the purposes of the Processingwhich Legal basis, Are all recipients (or categories of recipients), storage periods, and the rights of the data subjects included? Are there any relevant details missing? Information on indirect data collection:
If personal data not collected directly from the data subject, but rather from third parties or publicly available sources: If the subsequent information is provided in accordance with Art. 14 GDPR in a timely manner and in an appropriate form? Are processes in place to ensure that such Duty to inform also apply to data from external sources?- Internal data protection information:
Are not only customers and users, but also employees adequately informed about the Processing informed about their data? Companies should ensure that internal data protection notices (e.g., for employees) are kept up to date, as supervisory authorities will likely review more than just publicly available statements, such as the privacy policy on the website. - Language and structure:
Is the language understandable and the presentation clear? Especially when dealing with complex issues (such as the use of Cookies, tracking tools, or data transfers to third countries), the information should be designed in such a way that it provides an overview that is understandable to laypersons.
Three practical quick checks to help you prepare
Quick Check 1: Data protection information in practice
Systematically compare the privacy notices with the VVT and the actual data flows: purposes, Legal basis, recipients, tools, storage periods.
Quick Check 2: Art. 14 GDPR in view
Identify processes in which data is not collected directly from data subjects (e.g., lead lists, group transfers, service provider data). Check whether and how the duty to provide information is fulfilled or whether exceptions are documented and justified.
Quick Check 3: Test comprehensibility
Have non-lawyers in the company (e.g., sales, HR) read the information. If the content is not understood, this is a strong indication that there is room for improvement and a good reality check for Art. 12. GDPR.
Conclusion on the EDSA audit focus for 2026
With the election of Transparency and Duty to inform The EDSA has set a clear focus for EU-wide audits in 2026: data protection notices will be reviewed in terms of both content and structure. Companies would therefore be well advised to conduct a targeted „transparency audit.“ This is particularly important where data flows are complex (Tracking, platforms, international service providers, group-wide processes). Those who refine their approach now will not only strengthen Compliance, but also trust and efficiency in dealing with data subject rights.
Do you need assistance in responding to an official request for information or in a specific audit? Our data protection experts will review the letter from your local data protection authority, prepare the necessary documents, and support you with all regulatory requirements. Contact us for a no-obligation initial consultation.
Source: Coordinated Enforcement Framework: EDPB selects topic for 2026
German 
English 
Italian 
French