On 19 March 2026, the European Data Protection Board formally launched its fifth Coordinated Enforcement Framework action, with 25 data protection authorities across the European Economic Area simultaneously auditing how organizations communicate data processing to individuals. The target: privacy notices. Not consent flows, not cookie banners, not security measures. Privacy notices. The document most organizations drafted once in 2018 and have barely touched since.
If yours is one of those documents, you are in exactly the right cohort for this enforcement sweep.
Here is what Articles 12, 13, and 14 require, what the most common failures look like, and how to fix them before a DPA asks you to explain yourself.
TL;DR
- Article 12 requires that privacy information be presented concisely, transparently, and in plain language. Legalese fails this test regardless of how complete the content is.
- Article 13 applies when you collect data directly from individuals. It mandates disclosure of controller identity, processing purposes, legal basis, recipients, retention periods, individual rights, and more, at the moment of collection.
- Article 14 applies when you obtain data about someone from another source. It requires the same fields as Article 13 plus the data categories and source, and must be delivered within one month.
- The EDPB's 2026 coordinated enforcement sweep means your existing privacy notice is being reviewed right now by one or more of the 25 participating DPAs, whether or not you know it.
What Is a Privacy Notice and Why It Is Not Just a Privacy Policy
A privacy notice is the information you must give to individuals whose data you process. A privacy policy is an internal or website-level document that describes how your organization handles data broadly. In legal terms under the GDPR, the obligation is for the notice: the specific disclosure to the specific individual, at or before the point when their data is collected or, for indirectly obtained data, within one month.
Most organizations publish one website-level privacy policy and treat it as satisfying both obligations. That approach works only if your privacy policy is structured to deliver all of the Article 13 or Article 14 fields to every relevant category of data subject, in a form those individuals can realistically locate and understand. The WhatsApp enforcement action — a €225 million fine from the Irish Data Protection Commission in September 2021 — turned largely on the failure to clearly inform non-users about how their phone numbers were processed. The information existed somewhere in the documents. It was not clearly communicated to the right audience in an intelligible form.
That distinction between information existing and information being communicated is what the EDPB's 2026 enforcement sweep is designed to test.
Article 12: The Presentation Standard That Applies to Everything
Before the content of your notice matters, Article 12 governs how that content must be presented. The four requirements are concurrent: the notice must be concise, transparent, intelligible, and easily accessible, in clear and plain language.
Concise means no padding. A notice that takes 45 minutes to read in full is not concise, even if every sentence is technically accurate.
Transparent means the information is presented in a way that genuinely informs, not in a way that technically discloses while practically obscuring. The Article 29 Working Party's guidelines on transparency (now adopted by the EDPB) are explicit: transparency is not satisfied by burying disclosures in long documents, using vague category language like "our partners," or presenting information in a font size or color that reduces readability.
Intelligible means a typical member of the relevant audience can understand what you are saying without legal training. If your primary users are consumers, your privacy notice should be readable by a consumer. If your users include children, the standard rises further.
Easily accessible means the notice must be where the individual can find it when they need it, without searching. For websites, this means a direct link at the point of data collection, not merely a footer link on the homepage. For apps, the notice must be reachable from within the app, not only at the point of download.
Article 12 also sets the timing obligation for responding when individuals make requests under their rights: one month as a default, extendable to three months for complex or multiple requests, with an obligation to explain the extension.
Article 13: What You Must Tell People When You Collect Their Data Directly
Article 13 applies every time you collect personal data from the individual themselves. This includes web forms, account creation, checkout processes, survey responses, phone calls where you take personal details, and any other direct collection scenario.
The disclosure must happen at the time of collection. Not later, not when they read your website policy, not when they click a link in a confirmation email. At the time.
The mandatory fields under Article 13:
Controller identity and contact details. Who you are, and how the individual can reach you. If you have a representative in the EU (required for non-EU companies subject to GDPR), include their details too.
DPO contact details. If you have a Data Protection Officer, their contact information must appear in the notice. Not the DPO's name if they prefer not to be named, but a contact method.
Purposes and legal basis. For each processing purpose, you must state both the purpose and the specific Article 6 legal basis you are relying on. "We process your data to improve our services" without a legal basis is not compliant. If you are relying on legitimate interests under Article 6(1)(f), you must name those interests.
Recipients or categories of recipients. Who will receive the data, or which categories of third parties will receive it. "Our partners" is not sufficient. Categories should be specific enough to be meaningful: "payment processors," "email service providers," "advertising networks" are acceptable; "service providers" on its own is not.
Third-country transfers and safeguards. If you transfer data to countries outside the EEA, you must disclose this and identify the safeguard you are using: an adequacy decision, standard contractual clauses, binding corporate rules, or one of the Article 49 derogations. Following the Schrems II ruling and the post-2021 SCC modernization, DPAs are checking whether this disclosure is accurate, not just present.
Retention periods. Either the specific period for which data will be retained, or the criteria used to determine that period. "We retain data for as long as necessary" fails this requirement. See the GDPR storage limitation rules for a breakdown of how to set and document compliant retention periods by data category. "We retain account data for three years after account closure, or for seven years where required by tax law" satisfies it.
Individual rights. You must inform individuals of their rights under Articles 15 to 21: access, rectification, erasure, restriction, data portability, and objection. Where the legal basis is consent, you must separately inform them of the right to withdraw that consent at any time, and that withdrawal does not affect the lawfulness of processing before withdrawal.
Right to complain to a supervisory authority. The individual must be told they can lodge a complaint with a DPA. You do not need to name a specific authority, but informing them of the right is mandatory.
Whether the provision of personal data is a statutory or contractual requirement. If you are collecting data because a law or contract requires it, you must say so, and you must explain what happens if the individual does not provide it.
Automated decision-making and profiling. If you engage in solely automated decisions that produce legal or similarly significant effects, Article 13(2)(f) requires disclosure of the logic, the significance, and the envisaged consequences. This is one of the most frequently omitted fields in existing privacy notices.
Article 14: The Additional Requirements When You Obtain Data Indirectly
Article 14 applies when you collect data about someone from a source other than the person themselves. Common scenarios: purchasing a marketing list, receiving employee data from a parent company, scraping publicly available contact data, obtaining personal data from a business partner who is a controller in their own right.
Article 14 requires everything in Article 13 and adds two fields:
The categories of personal data concerned. Because the individual did not provide the data themselves, they may not know what you hold. The notice must describe the categories.
The source of the data. Where the data originated, including whether it came from publicly accessible sources. "A business partner" is not sufficient without further context about what kind of entity and in what capacity.
Article 13 vs Article 14 at a Glance
| Requirement | Article 13 (direct collection) | Article 14 (indirect collection) |
|---|---|---|
| When does it apply? | Data collected from the individual | Data obtained from a third party or public source |
| Timing | At the time of collection | Within one month of obtaining data, or at first contact, whichever is earlier |
| Controller identity and DPO contact | Required | Required |
| Purposes and legal basis | Required | Required |
| Recipients | Required | Required |
| Third-country transfers | Required | Required |
| Retention periods | Required | Required |
| Data subject rights | Required | Required |
| Right to complain to DPA | Required | Required |
| Automated decision-making | Required where applicable | Required where applicable |
| Categories of personal data | Not required (the individual knows what they provided) | Required |
| Source of the data | Not required | Required |
Timing for Article 14 notices is different from Article 13. You must provide the information within one month of obtaining the data, or at the point of first contact with the individual (if you contact them), or at the point of disclosure to a third party (if you disclose before contacting them), whichever comes first.
Uncertain which scenario applies to a specific data set? Secure Privacy's Privacy & AI Governance Platform maps your data flows in the ROPA module, so you can identify which collection points trigger Article 13 and which processing activities involve indirectly sourced data triggering Article 14.
The Most Common Failures and What They Look Like in Enforcement
The CMS GDPR Enforcement Tracker and DPA decisions across the EEA consistently surface the same gaps:
Vague purpose descriptions. "To improve our services" or "for marketing purposes" without a legal basis, specific purpose, or meaningful elaboration. The Austrian CCTV fine was partly driven by inadequate purpose description in the notice posted for camera surveillance.
Missing or unspecific retention periods. "As long as necessary" is cited in DPA decisions across Germany, France, and the Netherlands as a non-compliant retention disclosure. The retention period must be specific, or the criteria for determining it must be documented and disclosed.
"Our partners" without categories. Vague recipient descriptions that prevent the individual from understanding who receives their data. In the WhatsApp decision, the DPC specifically found that the information about internal Facebook data sharing was not clearly communicated to all relevant data subjects.
Legal basis not stated. Processing purposes listed without the corresponding Article 6 basis. This becomes critical when the individual later wants to exercise their right to object: if the basis was never disclosed, the individual cannot know whether the right to object applies.
Notice not at point of collection. A link in the footer of the homepage does not satisfy the Article 13 obligation when data is collected through a form on a different page. The notice or a direct link to it must be at the collection point.
Automated decision-making disclosure omitted. Companies using credit scoring, insurance pricing, or AI-based hiring tools frequently omit the Article 13(2)(f) disclosure entirely.
The Layered Approach: How to Satisfy Article 12 in Practice
The EDPB's guidelines on transparency (WP29 guidelines, adopted under EDPB continuity) explicitly endorse a layered notice structure. The practical implementation:
Layer 1 presents the most critical information at the point of collection: controller identity, main purposes, the single most important legal basis, key recipients, and a link to the full notice. This layer must be visible without the individual having to navigate elsewhere. It should be readable in under 60 seconds.
Layer 2 is the complete disclosure document covering all Article 13 or 14 fields, accessible via a clear link from Layer 1. This is where the detailed retention schedule, full recipient list, and individual rights information lives.
Layer 3 is optional and useful for complex processing: expandable sections or a privacy dashboard that lets individuals see and manage their specific consents and data processing choices in context.
The layered approach is not a way to hide information. It is a way to make information accessible at the moment it is most relevant, rather than requiring individuals to read a 4,000-word document before registering for a service.
Secure Privacy's Privacy & AI Governance Platform includes a Policies & Documents module that centralizes all privacy notices, tracks review dates, and maintains a version history for audit purposes. When the EDPB's coordinated enforcement results in a DPA information request, the ability to produce version-controlled notices with timestamps and review logs is the difference between a straightforward response and a months-long investigation. The platform also surfaces ROPA data directly into notice reviews, so retention periods and recipient disclosures reflect what the data map actually shows rather than what someone guessed in 2018.
What Compliant Wording Actually Looks Like
The difference between a failing notice and a compliant one is often a matter of specificity, not length. Three field-level comparisons:
Purpose statement
Non-compliant: "We use your data to improve our services and for marketing purposes."
Compliant: "We use your email address to send you order confirmations and shipping updates (legal basis: performance of a contract, Article 6(1)(b)). We use your email address to send you promotional offers for products similar to those you have purchased (legal basis: legitimate interests, Article 6(1)(f); you can object at any time using the link in each email)."
Retention period
Non-compliant: "We retain your data for as long as necessary to provide our services."
Compliant: "We retain your account data for three years after your last login, or for seven years where required by tax or accounting law, whichever is longer. We delete marketing contact data within 30 days of an unsubscribe request."
Recipients
Non-compliant: "We may share your data with our partners."
Compliant: "Your data is shared with Stripe (payment processing), Mailchimp (email delivery), and Google Analytics (website analytics). None of these parties are authorized to use your data for their own purposes. See our full vendor list for countries of transfer and safeguards."
Your Privacy Notice Review Checklist for 2026
Work through this list against your current notice before a DPA arrives with their own:
- Controller identity and contact details: present and current?
- DPO contact (if appointed): included?
- For each processing activity: purpose stated with specific Article 6 basis?
- Recipients: categories specific enough to be meaningful?
- Third-country transfers: disclosed with named safeguard?
- Retention: specific period or specific criteria, per data category?
- Rights: all seven listed, with a method to exercise each?
- Right to complain to a supervisory authority: included?
- Whether data provision is mandatory and consequences of refusal: disclosed where applicable?
- Automated decision-making: disclosed where it exists?
- Timing: is the notice or a direct link at every point of collection?
- Language: can a non-expert read this in one pass without re-reading?
If any box is unchecked, fix it before July 2026. The second half of 2026 is when participating DPAs share findings with each other and the EDPB consolidates them. Organizations that resolve gaps in the first half of the year are in a materially different position from those that are flagged during the review.
Book a demo of Secure Privacy's Privacy & AI Governance Platform to see how the Policies & Documents module supports notice drafting, version control, and ROPA-linked review workflows.
FAQ
What is the difference between a privacy notice and a privacy policy?
A privacy notice is the mandatory disclosure to individuals under GDPR Articles 13 and 14. A privacy policy is a broader organizational document describing data handling practices. In practice, many organizations satisfy the notice obligation through a publicly accessible privacy policy, but only if that document delivers all mandatory fields to each relevant category of data subject in an accessible form.
Does Article 13 require a separate notice for every form on my website?
Not necessarily a separate document, but the notice or a link to it must be present at the point of data collection. A single privacy notice document can cover multiple collection points as long as individuals encountering each form have a clear, direct way to access the relevant information before or at the time they submit data.
What does "at the time of collection" mean for Article 13?
It means the individual must be able to access the privacy information before or at the moment they provide their data. A link to the privacy policy in a confirmation email sent after form submission does not satisfy this requirement. The link or the information itself must be present on the form page.
Do I need separate Article 13 and Article 14 notices?
You need to satisfy the relevant requirements for each situation. Many organizations have a single privacy notice that covers both scenarios in separate sections, with clear labeling for which section applies to data collected directly versus data obtained from third parties.
What counts as "clear and plain language" under Article 12?
The ICO guidance describes it as language a typical member of the relevant audience can understand without legal expertise. Specific markers of non-compliance: sentences over 30 words as the norm, legal terms used without definition, passive constructions that obscure who is doing what, and category-level descriptions that have no practical meaning (for example, "our service providers").
What is the consequence of a non-compliant privacy notice?
Fines under the lower tier of GDPR penalties: up to €10 million or 2% of global annual turnover, whichever is greater. In addition, non-compliant notices frequently appear as an aggravating factor in larger enforcement actions, as they indicate a systemic approach to transparency rather than an isolated error. The WhatsApp decision combined the notice failures with other transparency violations to produce the €225 million total.
Does the EDPB's 2026 enforcement action create new requirements?
No. Articles 12, 13, and 14 have been in force since May 2018. The enforcement action applies the existing requirements. What it does change is the probability of being audited: 25 DPAs running coordinated reviews means a materially higher chance that any specific organization's notice is examined this year.
How often should a privacy notice be reviewed?
At minimum, whenever your processing activities change: a new tool, a new data category, a new purpose, a new third-party recipient, or a change in retention practice all trigger a review obligation. Beyond event-driven reviews, an annual audit against the Article 13/14 checklist is consistent with demonstrable accountability under Article 5(2).
The EDPB's 2026 coordinated enforcement action is not a warning shot. It is the audit. Twenty-five DPAs are reviewing notices right now, and their findings will be pooled into a European-level report that will inform further enforcement through 2027. Organizations that use the first half of 2026 to review and update their privacy notices are in a different risk position from those that wait.
Start with Secure Privacy's Privacy & AI Governance Platform to centralize your notice management, link disclosures to your ROPA, and maintain the version history that turns a DPA inquiry into a straightforward conversation.




