EDPB to Prioritize Transparency in Enforcement Actions by 2026

On October 14, 2025, the European Data Protection Board (“EDPB”) announced its focus for the 2026 coordinated enforcement action (“CEA”) will be on transparency and information obligations. This encompasses the critical rules mandating organizations to clearly articulate how they collect, use, and share personal data, grounded in Articles 12-14 of the General Data Protection Regulation (“GDPR”). This initiative signals a progressive step towards ensuring personal data privacy is front and center in the digital age.

The EDPB, which comprises representatives from the data protection authorities across Europe, selects a GDPR-related focal point each year. This coordinated effort not only enhances collaboration among data protection authorities but also ensures a unified approach to enforcement across the European Economic Area (EEA). In the past, the EDPB has tackled various issues, such as the function and appointment of data protection officers, as well as the implementation of rights related to data access and erasure. These collective efforts ultimately aim to foster a stronger, more data-protective environment in Europe.

If your organization operates under the GDPR umbrella, here’s what you can anticipate from the 2026 CEA on transparency:

• You may receive a questionnaire from your national data protection authority. This document will inquire about how your organization informs individuals regarding their personal data usage, emphasizing the importance of transparent communications like privacy notices.
• The nature of the questionnaire may vary: It could be mandatory or optional, depending on how your authority decides to leverage it. This means it could form part of a wider investigation or simply aim to collect data on compliance practices.
• Authorities will meticulously review responses to identify widespread challenges or compliance gaps. This examination may lead to the issuance of guidance, training opportunities, or additional actions to enhance compliance across the board.
• Investigations may follow for organizations whose responses raise red flags. This could result in formal warnings, directives to alter practices, or even financial penalties, always underscoring the vital nature of compliance.

Ultimately, organizations should gird themselves to justify how they adhere to transparency requirements as outlined in the GDPR. It’s essential to act promptly if any internal practices are found lacking in this regard.

As the 2026 CEA gathers momentum, authorities are set to commence their scrutiny in the upcoming weeks. Given that transparency has historically been a major concern for regulators, this focused initiative is likely to catalyze an increase in investigations, which may carry more stringent repercussions than seen in previous years.

Recent enforcement actions have sharpened the focus on the granularity of detail required in privacy notices. Notably, some authorities now demand organizations explicitly disclose each third country to which personal data is transferred. This evolving landscape indicates that accountability and transparency obligations outlined in Articles 13 and 14 of the GDPR may be interpreted with greater strictness moving forward.

*          *          *

At Covington, our Data Privacy and Cybersecurity team offers comprehensive guidance to companies navigating GDPR compliance, including transparency obligations and data subject rights. We’re ready to assist with any inquiries, including supervisory authority questionnaires, ensuring your organization remains equipped to meet regulatory expectations.