In the past few years, the data protection supervisory authorities have announced in advance which privacy topic will receive increased scrutiny for the calendar year. In 2026 information and transparency obligations have been chosen.
These are not individual national actions, but part of an EU-wide Coordinated Enforcement Framework (CEF).
This means that:
- Some authorities in several Member States are simultaneously checking how controllers are fulfilling their information and transparency obligations – in other words, how well data subjects are being informed about what happens to their personal data (“privacy notice”).
- It is important to note that the focus is not whether all the i’s have been dotted and t’s have been crossed, but rather about the quality, comprehensibility and accessibility of data protection notices as a whole.
The most common mistake we see is the “strictly ornamental” privacy notice:
- The notice was created years ago
- It is often copied, but never updated
- The information no longer corresponds to the actual data processing
- The wording itself is legally correct, but practically incomprehensible
The problem here is the understanding of transparency. Transparency does not mean that a text exists somewhere. It means that data subjects actually understand what is happening.
For the 2026 enforcement focus area a key question will be: ‘Can a normal person understand this – or only someone with a law degree?’
What does this mean for you?
If your data protection notice is already based on our current templates, adapted to your company and the specific data processing and updated regularly, there is no need to worry.
If you have data protection notices that may be a little outdated, now would be an excellent time to update these!
Don’t forget to also update your record of processing activities with your updated privacy notices. If you document these in foxondo you will find the relevant questions in each process in the question “Data protection notices for data subjects” (PG-400 or PHR-400).
Would you like to know more about the background for the CEFs?
You can find more information here:
- Coordinated Enforcement Framework of the European Data Protection Board
- Press release on the coordinated priority audit
Summary:
Check whether your data protection notices are still up to date and actually intelligibletruly comprehensible. Then you can face any inspection from the supervisory authority with confidence.