The European Data Protection Board (“EDPB”) has confirmed that its 2026 Coordinated Enforcement Framework (“CEF”) will focus on transparency and information obligations under the General Data Protection Regulation.

This represents a shift from the 2025 CEF action, which concentrated on how organisations respond to data subject rights requests, in particular the right to erasure under Article 17 GDPR. That work focused on operational compliance and how effectively organisations identify, assess and delete personal data when required, in an area that has generated a high volume of complaints.

The 2026 initiative instead turns to how organisations inform individuals about the use of their personal data. The focus will be on compliance with Articles 12 to 14 GDPR, which require information to be clear, accessible and provided in a timely manner. Around 25 supervisory authorities will participate, with findings to be shared at EU level and expected to inform further coordinated enforcement activity.

In practice, this will mean closer scrutiny of privacy notices and the overall user experience around transparency. Regulators are likely to examine not just the content of notices, but also where and when they are presented, how easy they are to understand, and whether layered or contextual approaches are used. The coordinated nature of the exercise increases the likelihood that issues identified in one Member State may lead to wider cross-border engagement.

From an Irish perspective, this initiative may lead to more targeted supervisory activity by the Data Protection Commission in this area. While not every organisation will be directly investigated, the CEF typically involves information gathering, questionnaires and targeted inquiries. It also tends to lead to follow-on enforcement where systemic issues are identified. Irish organisations, particularly those with cross-border processing activities, should expect increased engagement and a greater risk that deficiencies in transparency could form part of broader investigations.

Organisations should take this opportunity to review and simplify their privacy notices, ensure that information is provided at all relevant data collection points, and retain clear records demonstrating how and when individuals are informed.

If you have any questions about this topic please contact partner, Cian Clinch who would be happy to advise on any queries regarding the matter.